Key Highlights
- Roughly 1,400–1,500 ETH linked to the Upbit hack has been sent to Tornado Cash.
- The attacker-controlled wallet shows a “severe” AML risk score tied to theft-related activity.
- The fund movements come weeks after Upbit shifted around 99% of assets to cold storage.
An attacker behind the recent breach at Upbit, South Korea’s largest cryptocurrency exchange, began laundering stolen funds on January 8, routing roughly 1,500 Ethereum (ETH) through Tornado Cash. It is an Ethereum-based privacy mixer that obscures transaction trails, according to on-chain analysts.
After previously bridging the assets onto Ethereum, with total holdings estimated near $19 million, the attacker appears to be attempting to sever traceability, complicating efforts by investigators and exchanges to track or freeze the funds.
Funds move into Tornado Cash
Blockchain intelligence firms Specter and MistTrack flagged the activity after tracking wallet 0x93A0, which they attribute to the attacker behind the Upbit exploit.
MistTrack data shows the address has already transferred about 1,400 ETH into Tornado Cash, while Specter estimates the figure closer to 1,500 ETH. The wallet carries an AML risk score of 100, labeled “severe,” with direct tags for theft and malicious behavior.
Analysts say the use of Tornado Cash is a common step for attackers seeking to obscure fund origins after high-profile exchange breaches. The privacy mixer is used by many hackers to launder illicit crypto funds to fresh, non-traceable wallets.
Exchange response and security context
The laundering activity follows Upbit’s earlier decision to overhaul its custody practices. In December, the exchange announced it would move more than 99% of customer assets into cold wallets after suffering a Solana hot-wallet hack that cost roughly 44.5 billion KRW (about $31 million).
At the time, Upbit said it would cover user losses from its own reserves and tighten internal controls, exceeding South Korea’s regulatory requirement to keep at least 80% of assets offline.
Why it matters
The speed says it all. Once the exploit was done, the playbook flipped instantly from stealing to hiding, with $27M pushed into Tornado Cash in a matter of days, not months. Cold wallets may shrink the blast radius for the next attack, but analysts are blunt about the reality: once funds hit a mixer, the odds of recovery drop fast, and the trail usually goes cold long before anyone can pull the brakes.
For regulators and exchanges alike, the incident reinforces a familiar lesson: prevention may be improving, but when exploits succeed, the race to track and freeze funds is still measured in hours, not days.
