Coinfirm’s Investigation Into Tornado Cash’s Ronin, Harmony and Nomad Bridge Fund Flows


Coinfirm’s Regulatory Affairs has done a deep dive into the Office of Foreign Assets Control (OFAC) sanctions implications on Tornado Cash. To view that analysis, go here.

OFAC disclosed that since Tornado Cash was created in 2019, more than $7 billion worth of virtual currency was laundered through it. Part of the funds apparently came from the Ronin Network hack on March 23, 2022, the June 24, 2022 Harmony Bridge Heist and the August 2nd, 2022 Nomad Heist. The perpetrator behind the Ronin and Harmony hacks was Lazarus Group, a North Korean hacking group sanctioned by OFAC in 2019.

Coinfirm has conducted an internal investigation tracing the flow of illicit funds stemming from the Ronin, Harmony and Nomad Bridge hacks, to identify if the funds were sent directly from the perpetrators’ addresses used in the hacks or if there was an added level of layering. Results show that:

1. In the Ronin hack over $552 mil were stolen (173,600 ETH & 25,500,000 USDC) – the USDC tokens were sent to two addresses to be swapped to ETH, then sent back to the main hacker’s address.

There were no transactions directly sent from the hacker’s address to Tornado Cash, however, layering addresses were used. In the first stage, funds were sent to 23 unique addresses, from which they were moved:

  • either directly to Tornado.cash (2 hops away) – $92,658,307.00 reached the mixer at this stage
  • or through other layering addresses (3 or more hops away) – $362,870,718 reached the mixer in 3 hops

    The amounts that reached Tornado Cash represent 96.12% of the stolen funds in the Ronin hack.

The below graph is a representation of funds flow obtained by the hacker in the Ronin hack. The address/es in:

  • Red: is that of the hacker, used to collect the funds
  • Yellow: is that of the hacked entity
  • Black: are those used to swap USDC tokens to ETH
  • Dark green: represent addresses 1 hop away from the hacker’s address that have received funds from the hack
  • Bright green: represent addresses 2 or more hops away from the hacker’s address that have received funds from the hack and redirected them to Tornado Cash

The left side of the graph shows other entities which have received funds from the hack in 2 or more hops away from the hackers’ address.

Ronin Hack

2. In the Harmony heist, ETH and various tokens were stolen, some of which were later exchanged to ETH and sent to 5 unique addresses. There were no funds directly sent to Tornado Cash. Various addresses were used in an attempt to hide the origin of the funds, reaching the mixer in 3 hops. $95,265,127.00 were sent to Tornado representing 99.81% of the stolen amount.

3. In the Nomad Bridge exploit 558 addresses belonging to hackers have stolen various tokens.

  • 27 addresses have sent $7,000,000 directly to Tornado cash, representing 3,73% of all stolen funds.
  • 8 addresses (white hat hackers) send all of the funds back to Nomad recovery address.

In conclusion, Coinfirm’s investigation results confirm OFAC’s findings that led to Tornado Cash being added to the SDN list.

Looking to comply with crypto AML compliance stipulations?

Contact Coinfirm or sign up/log in to the AML Platform to experience the most flexible crypto RegTech platform powered by more than 350 proprietary risk analysis algorithms.