What are coin mixers, and how are they used in high-profile hacks?

Crypto mixers, or tumblers, are basically smart contracts used to hide the origin of crypto transactions. Hackers send their cryptocurrency to a mixer’s address. The mixer blends the crypto with coins sent by other users, thereby concealing the identity of each contributor. Subsequently, the mixer redistributes the coins, effectively obscuring their original source.

For example, if 10 users each mix 1 Ether (ETH), they each contribute and receive different ETH. The mixers’ ability to conceal funds has a dual nature: Hackers use them to hide stolen funds, while others enhance financial privacy, protecting against surveillance. Despite their controversial use, mixers remain a tool for those seeking greater crypto anonymity

Hackers frequently combine crypto mixing with other laundering techniques such as decentralized exchange (DEX) trading, peel chains and crypto bridging. DEX trading involves directly exchanging cryptocurrencies between users on a DEX, eliminating the need for a central authority. A peel chain is a type of multi-wallet transfer where the hackers send increasingly smaller amounts across each hop instead of large amounts.

In a brazen display of their sophisticated laundering capabilities, North Korea’s Lazarus Group executed a complex operation involving the theft and subsequent obfuscation of $1.46 billion in cryptocurrency mere days following the high-profile Bybit hack. 

Using coin mixers and the decentralized crosschain protocol THORChain, North Korea’s Lazarus Group laundered the stolen funds just days after the hack. 

This incident is not an isolated case. In 2024 alone, Pyongyang-based hackers have reportedly stolen $800 million in crypto. The stolen funds were rapidly funneled through crypto mixers, intermediary wallets, DEXs and crosschain bridges using advanced laundering tactics.

North Korean hackers have been responsible for over $5 billion in stolen crypto since 2017, utilizing platforms like Ren Bridge and Avalanche Bridge, often converting funds into Bitcoin (BTC) before employing mixers such as Tornado Cash, Sinbad, YoMix, Wasabi Wallet and CryptoMixer​. 

Notable crypto hacks by Lazarus Group include WazirX (July 2024), State.com (September 2023), CoinsPaid and Alphapo (July 2023), Harmony Horizon Bridge (June 2022) and Ronin Bridge (March 2022), among others.

Did you know? Fraudulent organizations like the Lazarus Group are suspected of running private mixers. Attributing wallets to these mixers requires careful consideration, as it carries a significant risk of wrongly identifying individuals who use them for legitimate privacy or are otherwise uninvolved.

What are crosschain bridges, and why do hackers use them to launder stolen funds?

Hackers leverage crosschain bridges to facilitate verifiable data transfers across networks, thereby enabling interoperability, often without reliance on a centralized intermediary. Through the lock-mint methodology, these crypto bridges secure the original token in a smart contract and subsequently mint a corresponding wrapped version on the target blockchain.

For instance, when transferring an asset from Ethereum to Solana, the asset is first sent to a bridge contract on Ethereum, where it is “locked.” The bridge then notifies Solana, which creates a “wrapped” version of the asset, allowing it to function on the Solana network as a native coin.

To reverse the process, the wrapped asset is “burned” on Solana. The bridge then notifies the Ethereum blockchain to unlock the original asset, maintaining supply balance across both chains.

Hackers exploit vulnerabilities within these bridge transactions. They identify weaknesses that allow the creation of wrapped assets on the target chain without the corresponding locking of original assets on the source chain. 

They can also manipulate the system to unlock original assets without the required burning of wrapped versions. This allows for the theft of funds without a legitimate deposit. Here’s how it works:

• False deposit events: A common tactic hackers use is triggering false deposit events. Crypto bridges typically monitor blockchains for deposit confirmations before issuing corresponding tokens on another chain. Hackers trick the system by creating fake deposit events or using worthless tokens. An example of such an attack is the Qubit hack, where the hackers created false deposit events using a legacy function in the code.
• Validator takeover: Another method is validator takeover, which targets bridges relying on validator consensus for transaction approval. If hackers gain control of most validators, they can authorize malicious transfers. In the Ronin Network hack, attackers seized five out of nine validators, enabling them to move funds undetected.
• Fake deposits: Hackers can exploit vulnerabilities in deposit validation mechanisms. If they can forge a deposit through the validation process, they can withdraw funds fraudulently. A $320-million loss in the Wormhole attack resulted from a digital signature validation process flaw.

Did you know? Often, crypto bridges are susceptible to attacks because of inadequate engineering. In the Harmony Horizon Bridge hack, the ease with which hackers compromised two out of five validator accounts, gaining access to funds, highlights this vulnerability.

Hackers’ playbook: Typical process of laundering stolen funds

Hackers use crypto bridges to hide the origin of funds, thereby increasing anonymity. The hackers use crypto bridges for money laundering in three key stages: placement, layering and integration. 

Here is a brief description of how crypto hackers launder stolen funds:

• Placement: In the placement stage, the criminals introduce illicit funds into the financial system. They break large amounts into smaller transactions to avoid detection. Then they use these funds to purchase cryptocurrencies, more often through intermediaries, making it harder for law enforcement to trace their origins.
• Layering: Hackers move funds across multiple transactions to obscure their source. Some exchanges enforce strict Anti-Money Laundering (AML) measures, while others operate with little oversight. Hackers take advantage of the latter, using decentralized or loosely regulated platforms to move funds across chains.
• Integration: In this stage, criminals reintroduce laundered funds into the legitimate economy. By this time, the crypto has been cycled through various platforms and is no longer directly tied to criminal activity. Criminals may cash out through fiat off-ramps, use it for seemingly legal transactions, or reinvest in assets like real estate. 

Did you know? The inherent lack of interoperability between blockchains creates fragmented data, making it difficult to monitor crosschain activity. This lack of shared information hinders comprehensive activity tracking.

How did the Lazarus Group launder stolen crypto from Bybit?

Lazarus combined classic money-laundering tricks with modern DeFi and crosschain swaps, making this one of the most complex laundering cases in crypto history. Investigators have managed to freeze over $42 million, but the majority of the funds have already been hidden or converted into fiat via underground channels.

Total amount stolen and asset breakdown

Bybit’s losses in the hack totaled roughly $1.46 billion. The stolen assets were primarily Ether and Ethereum-based tokens, including:

• 401,347 Ether (ETH): worth approx. $1.12 billion​
• 90,376 Lido Staked Ether (stETH): worth ~$253 million
• 15,000 cmETH (a form of staked/pooled ETH): worth ~$44 million
• 8,000 mETH (another wrapped ETH derivative): worth ~$23 million​

In total, about 401,000 Ether (ETH) and 90,000 Lido Staked Ether (stETH) (plus smaller ETH-derivative tokens) were taken, which the hackers immediately consolidated and converted. According to Nansen’s analysis, the attackers swapped all non-ETH tokens (stETH, cmETH, mETH) into plain ETH soon after the breach​. This gave the hackers full control over ETH, a native asset that cannot be easily frozen by any central issuer​. The entire loot was then funneled into the attackers’ wallets for laundering.

Laundering methods used

Lazarus Group used a multi-layered strategy to hide and cash out the $1.46 billion stolen from Bybit. Their methods included:

• Splitting and dispersing funds: Right after the hack, they split 401,000 ETH into 50 wallets to make tracking harder. This tactic of spreading out funds (roughly $27 million per wallet) is designed to complicate tracking by diluting the honeypot. Over the next day, those 50 wallets were systematically emptied as Lazarus began moving the ETH into further layers of addresses and services.
• Swapping tokens via DEXs: They converted stETH, cmETH and mETH into ETH using DEXs (likely using platforms like Uniswap or Curve).
• Crosschain bridges: They used Chainflip and THORChain to swap ETH into BTC and move funds across chains. Approximately 361,000 ETH (over $900 million) was converted into BTC and distributed across 6,954 Bitcoin addresses (averaging ~1.7 BTC per address) to further break the trail.
• Mixers and no-KYC exchanges: They used Tornado Cash alternatives, non-Know Your Customer (KYC) swap services like eXch, and onchain coin swaps to obscure transactions. Elliptic identified eXch as a “major and willing facilitator” in this laundering operation: Over $75 million in Bybit hack proceeds were swapped through eXch within days​. Because eXch lets users convert ETH into other cryptocurrencies, like BTC or even privacy coins such as Monero (XMR), with no traceable linkage, any funds passing through it often go dark.
• DeFi platforms and DEX launchpads: The Pump.fun launchpad/DEX on Solana became unintentionally involved in a money-laundering operation when hackers used it to launch the QinShihuang token. The platform’s lack of preventive filters allowed hackers to create tokens and pair them with liquidity. This creative technique effectively “mixed” $26 million without using a traditional mixer. Once the scheme was discovered, Pump.fun’s developers swiftly intervened, blocking the token on their front-end UI to halt further trades. While other DeFi platforms like Uniswap and PancakeSwap also facilitated the token swaps, they weren’t complicit in the laundering.
• OTC and P2P networks: While not explicitly named in public reports, it’s strongly suspected that unregulated over-the-counter (OTC) brokers and peer-to-peer (P2P) trading networks were involved in the final conversion of these stolen funds to cash. Lazarus has historically relied on Chinese and Russian OTC desks to convert crypto to fiat (for example, selling BTC for Chinese yuan in cash)​.

Did you know? Of the stolen crypto, exchanges have frozen $42.8 million worth of funds, but the North Korean threat actor has laundered all of the stolen 499,395 ETH, primarily through THORChain.

How do investigators uncover crosschain crypto fraud?

To address crosschain fraud involving coin mixing, investigators follow a holistic approach and use specialized tools to track illicit transactions. This is different from legacy explorers that only focus on single-chain analytics. 

The following example will help you understand how crosschain crypto fraud tools help investigators. Suppose a spyware group extorts funds in Bitcoin and moves them to Ethereum via a crosschain bridge. Instead of cashing out, they swap the funds for a privacy coin using a DEX. Traditional tools require law enforcement to track each step manually, causing delays and errors. 

With automated crosschain tracking, investigators can trace transactions in one interface, identify the DEX used, and contact exchanges quickly. This accelerates investigations and improves the chances of recovering stolen assets. 

Notable features of such crosschain investigative tools, such as those offered by Elliptic and Chainalysis:

• Crosschain hopping detection: It flags instances where criminals transfer funds between blockchains to evade detection. By mapping these transactions, investigators can maintain a comprehensive view of the laundering trail.
• Attribution and entity identification: The capability of linking addresses to known entities, such as exchanges or DeFi platforms, helps law enforcement determine where stolen funds may have been processed.
• Automated investigation board: An automated investigation board simplifies the process by visualizing connections between multiple addresses across different chains. This enables investigators to quickly identify laundering patterns and trace the movement of illicit funds.
• VASP directory integration: For cases where illicit funds reach centralized exchanges (CEXs), virtual asset service providers (VASPs) directory integration allows investigators to contact exchanges, request account information, or freeze assets before they are fully laundered.

Now, let’s find out how investigators attempt to catch perpetrators using such tools. Several ways they use include:

• Blockchain analysis: Investigators meticulously trace the flow of funds across various blockchains like Ethereum, BNB Smart Chain, Arbitrum and Polygon. This involves analyzing transaction histories, identifying patterns and mapping the movement of assets through different wallets and exchanges.
• Following the money trail: Even with the anonymity provided by mixers and crosschain transactions, investigators attempt to follow the money trail by tracing funds to CEXs where they might be converted to fiat currency. This often involves working with international law enforcement agencies to track funds across borders.
• Crosschain bridge monitoring: Investigators monitor bridge transactions for anomalies, such as unusually large transfers or suspicious patterns. They examine the smart contract code of bridges for vulnerabilities that could be exploited by hackers.
• Analyzing onchain and offchain data: Investigators analyze both onchain (blockchain) and offchain (layer 2s, social media, forums, dark web) data to gather intelligence about potential fraud. This can include monitoring discussions about exploits, vulnerabilities and potential scams.
• Forensic analysis: When devices are seized from suspects, forensic teams can analyze the devices for crypto wallets, transaction history and other evidence.

Other real-world cases of crypto laundering

Here are two real-world examples of crypto laundering. The DMM hack demonstrates the use of crypto mixers for hiding the origin of funds, while the XT.com hack shows how hackers used crypto bridges for laundering funds.

DMM hack

The DMM hack in May 2024 demonstrated how hackers use several obfuscation techniques to disguise their act. In May 2024, Japanese crypto exchange DMM suffered a massive hack, losing 4,502 BTC, worth $305 million at the time. The hackers used sophisticated laundering methods, including peel chains and coin mixers, to hide the transaction trail. 

The hackers also manipulated withdrawal timing to further disrupt blockchain analysis. They deliberately delayed withdrawals to add another layer of obfuscation, hindering attempts by investigators to match deposits and withdrawals by their time stamps.

XT.com hack

In November 2024, crypto exchange XT.com experienced a security breach resulting in the loss of $1.7 million. Attackers initially targeted assets on the Optimism and Polygon networks, subsequently utilizing crosschain bridges to transfer the stolen funds to Ethereum. 

This tactic of moving assets across multiple blockchains exploited the complexities inherent in tracking funds across diverse networks, thereby hindering investigative efforts. Such crosschain maneuvers underscore the challenges faced by security teams in tracking and recovering illicitly obtained digital assets.

Regulatory challenges and law enforcement efforts regarding crypto mixers

Crypto mixers, designed to obscure transaction trails, have increasingly drawn regulatory scrutiny due to their role in laundering illicit funds. The Office of Foreign Assets Control (OFAC) has sanctioned multiple mixers linked to cybercrime and national security threats in the US. 

Blender.io became the first-ever sanctioned mixer in 2022 after laundering $20.5 million from the Axie Infinity hack. Despite its shutdown, it resurfaced as Sinbad.io, which was sanctioned within a year for facilitating money laundering in high-profile hacks, including the Atomic Wallet and Horizon Bridge breaches.

Tornado Cash, a non-custodial Ethereum-based mixer launched in 2019 by Alexey Pertsev and Roman Storm, was sanctioned by the US Treasury in 2022. However, a court overturned the sanctions in a January 2022 ruling. Pertsev was sentenced to five years and four months in prison for laundering by Dutch judges. 

The Financial Crimes Enforcement Network (FinCEN) classifies mixers as money transmitters, requiring compliance with AML laws. The US Department of Justice has aggressively pursued offenders, notably sanctioning Tornado Cash for laundering over $7 billion. Despite such measures, the evolving nature of crypto mixers continues to challenge regulators and law enforcement agencies worldwide.

The Financial Action Task Force (FATF), an intergovernmental body to deter money laundering activities, has marked mixer usage as a red flag for illicit activities. The European Banking Authority and the Australian Transaction Reports and Analysis Centre have set up rules for reporting requirements. The Joint Money Laundering Steering Group, a private body of financial sector organizations, also issues guidelines for members for the prevention of money laundering.

However, enforcement faces challenges in holding developers accountable. Legal debates persist on whether developers should be liable if they did not directly aid laundering post-sanctioning.

The future of privacy vs. security in crypto

Crypto will need to find a delicate balance between privacy and security. While technologies like zero-knowledge (ZK) proofs will enable users to transact privately without compromising the blockchain’s integrity, they must also align with stricter AML regulations to ensure compliance while maintaining user anonymity.

While privacy advocates champion financial sovereignty and protection from surveillance, security proponents emphasize the need for transparency and regulatory compliance to maintain market integrity. 

This tension is likely to be navigated through technological advancements such as ZK-proofs, differential privacy and federated learning, which offer potential solutions for enhancing privacy without compromising security. Simultaneously, governments will continue to develop regulatory frameworks that seek to strike a balance, potentially through tiered approaches that offer varying levels of privacy. 

Ultimately, the path forward requires collaboration between developers, regulators and users to create a sustainable ecosystem that safeguards individual privacy while preventing illicit activities and fostering trust.