The WazirX crypto exchange hackers have nearly completed their efforts to launder the $230 million haul through coin mixer Tornado Cash, throwing a wrench into the efforts to recover funds for affected users.
Hackers have moved 15,000 ETH (nearly $40 million today) since Monday night across scores of transactions. The development followed the High Court of Singapore granting the Indian crypto exchange WazirX a four-month moratorium to restructure its liabilities following the midsummer hack of more than $230 million.
Last week, the wallet holding the funds sent some $33 million worth of Ethereum to Tornado Cash. Since then, the wallet has continued to move funds to other wallets, in many cases then continuing to run the coins through Tornado Cash, which makes them more difficult to track.
Arkham Intelligence data shows that the hacker’s main wallet still holds more than $6 million in multiple crypto assets, primarily Ethereum, according to on-chain data from Etherscan. The entity behind the hack moved about $57 million worth of assets over the last seven days.
Data shows that the known WazirX exploiter addresses have quickly dispersed the funds to addresses that are untracked by blockchain analytics platform Arkham Intelligence. This includes a total of 26 listed transactions to Tornado Cash addresses.
Tornado Cash is a decentralized cryptocurrency mixer that uses smart contracts to commingle cryptocurrencies, making it virtually impossible to trace funds back to their original source. It was sanctioned by the United States Treasury’s Office of Foreign Assets Control in 2022, making it illegal to use in the country.
Still, authorities have no tools, let alone legal jurisdiction, that would allow them to halt the operations of a decentralized system, and the notorious mixer had handled nearly $2 billion in 2024 through July.
The WazirX hack targeted a multisignature wallet, resulting in the loss of $97 million in meme coin Shiba Inu (SHIB) and $53 million in Ethereum, with other swiped assets pushing the total figure to $230 million. These stolen funds represent more than 45% of WazirX’s total reserves. The exchange has since initiated a restructuring process to address its liabilities.
WazirX founder Nischal Shetty has attributed the breach to various parties during this period. Initially, he blamed custodian Liminal for the security lapse, which Liminal denied. In August, Shetty alleged that Binance held the majority of WazirX parent Zettai Labs’ funds, limiting their ability to compensate affected customers. Binance refuted these claims soon thereafter.
Some analysts believe that North Korea-sponsored actors such as Lazarus Group pulled off the heist.
Jeremiah O’Connor, CTO and co-founder of crypto cybersecurity firm Trugard and former principal investigations scientist at Binance and Coinbase, told Decrypt that “while significant progress has been made in de-mixing transactions, the recovery of stolen funds remains exceptionally challenging, especially when dealing with groups such as Lazarus.”
Groups like Lazarus “leverage networks of foreign operators and employ state-backed protection to facilitate the movement of funds, greatly reducing the likelihood of successful asset recovery,” he added.
Anoop Nannra, Trugard’s CEO, added that “investigators will have a challenging time trying to decipher which of the receiving wallets are actually part of the hack and which are simply innocent bystanders.”
Meanwhile, with legal procedures stalled, Indian users have limited options for recovering their losses.
“I personally know of a victim who is both a customer and an investor in WazirX,” said Nannra, “and he is slowly coming to the conclusion that he will not ever see his funds.”
Edited by Andrew Hayward and Josh Quittner