Hackers Launder $21 Million Stolen From Crypto.com Using Ethereum ‘Mixer’

Hackers Launder $21 Million Stolen From Crypto.com Using Ethereum ‘Mixer’
Photo: Jakub Porzycki, Getty Images

Hackers who made off with roughly $US15 (A$21) million in ethereum from Crypto.com are attempting to launder the funds through a so-called ethereum “mixer,” known as Tornado Cash, according to a new report from crypto security company Peck Shield. Mixers run interference on the blockchain to make it difficult for outsiders to track where stolen funds might end up.

Crypto.com halted all withdrawals from the platform for 14 hours on Monday and made users reset their two-factor authentication after “unauthorised activity” was detected on the network. But CEO Kris Marszalek insisted that all funds were “safe,” without admitting the company had been hacked.

The laundering attempt, first reported by CoinDesk, is visible on the Ethereum blockchain through the service Etherscan. The hackers sent 334 transactions to Tornado Cash on Monday night ET. It’s not clear where the money ultimately landed. At least not yet.

The nature of decentralized finance (DeFi) on the blockchain means that it’s relatively easy to see when money is moving from one crypto wallet to another, even if you don’t know who owns the wallets. But services like Tornado Cash are marketed as a way to confuse the public ledger of a given blockchain, in this case Ethereum, as a way to throw people off the trail and protect the user’s privacy.

Other crypto “mixers” have been shut down in recent years. Bestmixer halted operations in 2019 after a visit from European police who alleged it laundered roughly $US200 (A$278) million in bitcoin, and Larry Dean Harmon, who ran the mixer Helix, was raided by the FBI in 2021. Harmon pleaded guilty in August to laundering $US300 (A$416) million in crypto.

Crypto.com did not respond to a request for comment overnight about the hack, previously stating publicly on Tuesday that “all funds are safe.” But there’s a big difference between not getting hacked (something Crypto.com keeps suggesting with its confusing choice of words in public statements) and getting hacked but topping up the customer accounts that lost money. The latter seems to be the case here, but Crypto.com won’t admit it, likely out of fear that bad publicity about poor security practices in the crypto space leads to plummeting prices for cryptocurrencies.

The crypto community has already had a start to the year, with bitcoin down 37% over the past three months. Bitcoin is currently trading at $US41,347 (A$57,398), down considerably from an all-time high of over $US68,000 (A$94,398) on November 9, 2021. Ethereum is currently trading at $US3,066 (A$4,256), down from $US4,806 (A$6,672) on November 9.

While services like Tornado Cash, which boasts its own crypto coin called TORN, make it more difficult to track where funds are being routed, it’s probably not impossible for people who are adept at following the money. In fact, there’s speculation from experts that any transactions currently taking place with Tornado Cash could be audited in the future.

“I won’t be surprised if there is a paper at the Financial Cryptography 2023 conference showing that 85% of tornado usage was not private; not because the cryptography is broken, but because it is really hard for mere mortals to use something like tornado (or CoinJoin or other similar technologies) in a way that doesn’t leak information about their wallet,” crypto expert Gavin Andresen wrote back in January of 2020.

“The tornado developers wrote an article with tips to help maintain privacy, but I think 62% of their users won’t read it and another 25% will read it and then immediately do something the article says you shouldn’t do,” Andresen continued.

It’s entirely possible that the hackers who made off with about $US15 (A$21) million in ether will get away with it all. But they wouldn’t be the first. Hackers stole an estimated $US3.2 (A$4) billion in crypto during 2021, according to Chainalysis. But that number still pales in comparison to cryptocurrency scams, which raked in roughly $US7.8 (A$11) billion in 2021.

Hackers might be taking a lot of money by forcing their way into the bank vaults. But it’s often more profitable to just come in through the front door, look like a reputable cryptocurrency project, and ultimately rug pull.