WazirX Hacker Starts to Move Stolen Ether Using Tornado Cash

• The hacker stole $230 million from WazirX and began transferring funds through Tornado Cash.

• The hacker started moving nearly $4 million worth of ether to obscure the transaction trail.

• WazirX is undergoing restructuring after the hack and customers are expected to recover only 55%-57% of their funds.

The hacker entity that stole over $230 million in user assets from Indian crypto exchange WazirX started to move funds using Tornado Cash early Tuesday, beginning a move that allows them to obfuscate the trail of funds.

Tornado Cash allows crypto users to exchange tokens while masking wallet addresses on various blockchains. The service, by itself, is not nefarious but is commonly used by crypto criminals to clean an online trail that could lead to the identity of those moving stolen funds.

The attacker moved nearly $4 million worth of ether (ETH) in 16 transactions on the Ethereum network, data tracked by Arkham shows, to a Tornado Cash router. The address holds over $155 million worth of various tokens – with a majority in ether at $150 million – and has previously not moved any funds to Tornado.

In July, WazirX was hit by a security breach in one of its multisig wallets, causing over $100 million in shiba inu (SHIB) and $52 million in ether, among other assets, drained from the exchange.

The stolen funds accounted for over 45% of the total reserves cited by the exchange in a June 2024 report – and the exchange has since filed for a restructuring process to clear liabilities.

WazirX’s legal advisers said on Monday that customers are unlikely to be made whole in crypto terms, with the best-case scenario being a return of anywhere between 55% and 57% of the funds.

North Korean hacking unit Lazarus is believed to be behind the attack, as previously reported. The group is estimated to have laundered over $1 billion in stolen funds through the service before OFAC sanctions in 2022, per estimates.