Approximately $63 million in Tornado Cash deposits are linked to the $282 million cryptocurrency wallet compromise since January 10.
Blockchain security company CertiK he said in a Monday X post that its monitoring systems identified Tornado Cash exploit-related interactions.
The update expands on the money laundering mechanics following the January 10 theft incident, which has been followed by multiple crypto investigators due to the amount lost and the speed with which the funds were moved.
The CertiK diagram shows the washing path
According to CertiK’s analysis, some of the stolen Bitcoin (BTC) was bridged to Ethereum, converted to Ether and then distributed to several addresses.
CertiK’s found that at least 686 BTC were bridged to Ethereum using cross-chain swaps, resulting in 19,600 ETH being received by a single Ethereum address.
The funds were then split into multiple wallets, with a few hundred ETH sent onward from each address before entering Tornado Cash, a privacy-focused mixing protocol.
The figure of $63 million represents only a fraction of the total amount lost. However, the movement of funds shows how the attacker works to cover his tracks after the initial transfers in the chain during exploitation.
Chances of recovery drop to “near zero” after entering the mixers
The movements of funds seen in the January 10 compromise reflect established money laundering practices, according to Marwan Hachem, CEO of blockchain security firm FearsOff.
“This flow pretty closely follows classic large-scale money laundering practices, especially for on-chain thefts involving BTC and LTC,” Hachem told Cointelegraph.
He said that using THORswap for Bitcoin-to-Ether conversions and subsequently splitting the funds into approximately 400 ETH chunks before entering the mixer is “textbook” because they help reduce attention and make recovery after mixing significantly more difficult.
“Tornado Cash is a major traceability switch,” he said, adding that the chances of recovery “drop to almost zero” in most cases once funds enter the mixer.
According to Hachem, mitigation options after mixer deposits are limited and increasingly unreliable.
Related: Travel? ‘Evil Twin’ WiFi networks can steal crypto passwords
A social engineering attack turns into a compromise of the seed phrase
As previously reported by Cointelegraph, the January 10th heist was linked to a social engineering attack that tricked the victim into revealing the seed phrase.
Blockchain researcher ZachXBT said the attacker impersonated the wallet’s support staff, gaining complete control over the victim’s holdings. The compromised wallet contained about 1459 BTC and more than 2 million Litecoin (LTC).
Parts of the stolen assets have also been swapped into privacy-focused digital assets.
Security firm ZeroShadow previously said about $700,000 in stolen funds had been flagged and frozen early in the laundering process, although the vast majority of assets had been moved out of reach.
Magazine: The Big Questions: Would Bitcoin Survive a 10-Year Power Outage?
