The art and science of tracing cryptocurrency transactions has evolved dramatically over the past few years, driven by an arms race between sophisticated criminal actors and the blockchain analytics firms working to expose them. The FBI’s January 2023 confirmation that North Korea’s Lazarus Group was behind the $100 million Harmony Horizon Bridge hack provides a detailed case study in how modern asset tracing works — and how even privacy-focused laundering techniques can be unraveled by determined investigators. For advanced crypto users and security professionals, understanding these techniques is essential.
The Objective
This guide walks through the investigative methodology used to trace stolen cryptocurrency from the point of theft through multiple laundering layers, using the Harmony Horizon Bridge hack as a real-world example. By January 23, 2023, investigators had pieced together a comprehensive picture of how approximately $100 million in stolen assets — including Ethereum, Tether, and USD Coin — moved from Harmony’s compromised bridge through Tornado Cash and into Railgun before being converted to Bitcoin. Understanding this chain of custody illuminates both the capabilities and limitations of blockchain forensics.
Prerequisites
To follow this guide effectively, you should understand basic blockchain concepts including transaction hashes, wallet addresses, and the difference between custodial and non-custodial platforms. Familiarity with Ethereum’s transaction model is helpful, as is a basic understanding of how mixing services and privacy protocols function. Tools you will want to explore include block explorers like Etherscan for Ethereum transactions and blockchain analytics platforms such as Elliptic, Chainalysis, or TRM Labs for more advanced tracing capabilities.
The broader context is important: with Bitcoin at $22,934 and Ethereum at $1,628 in January 2023, the stolen $100 million represented a substantial amount of capital. Since 2017, North Korean hacking groups have stolen over $1.2 billion in cryptocurrency, making state-sponsored crypto theft one of the most significant security challenges facing the industry.
Step-by-Step Walkthrough
Step 1: Identify the Point of Compromise. The Horizon Bridge was exploited on June 24, 2022, through its multi-signature wallet. The bridge was over-centralized — only five signatories controlled the wallet, and the attackers compromised two of them. This gave the hackers sufficient authorization to drain approximately $99.7 million in tokens. The first step in any tracing operation is to identify the compromised address and catalog the initial outflow transactions. Blockchain analytics tools automatically flag large, unusual withdrawals from bridge contracts.
Step 2: Follow the Initial Consolidation. After stealing the funds, Lazarus Group typically consolidates the stolen assets into a small number of control wallets. In the Harmony case, the stolen ETH, USDT, and USDC were gathered into specific Ethereum addresses that investigators could monitor. These consolidation addresses become critical reference points for the entire investigation.
Step 3: Track the Tornado Cash Deposits. The next stage involved routing funds through Tornado Cash, a decentralized Ethereum mixer. Elliptic researchers identified that approximately $96 million from the Harmony hack was deposited into Tornado Cash. The Lazarus Group used programmatic transaction structuring to deposit funds in specific patterns — patterns that matched those used in the earlier $540 million Ronin Bridge hack. This pattern matching was the key insight that initially linked the Harmony theft to Lazarus Group before the FBI’s official confirmation.
Step 4: Monitor Post-Mix Withdrawals. After the U.S. Treasury sanctioned Tornado Cash in August 2022, investigators intensified their monitoring of withdrawal patterns. Funds exiting Tornado Cash were directed to several dormancy addresses where they remained inactive until January 2023. The inactivity itself was a behavioral signal — Lazarus Group often parks stolen funds for extended periods to let investigative attention wane.
Step 5: Trace the Railgun Conversion. In January 2023, Lazarus Group began moving funds from the dormancy addresses into Railgun, a privacy-focused DeFi protocol that functions as a Tornado Cash alternative. The FBI reported that approximately $60 million in ETH was converted to Bitcoin through Railgun. This conversion was traced to 11 specific Bitcoin addresses, demonstrating that even privacy protocols provide investigative leads when combined with behavioral analysis and cross-chain correlation.
Troubleshooting
Not every tracing operation proceeds as smoothly as the Harmony case. Several factors can complicate investigations. First, the use of multiple mixing services in sequence — a technique called layering — increases the number of intermediate addresses that must be analyzed. Second, cross-chain bridges (ironically the same technology exploited in the Harmony hack) can be used to move funds between blockchains, requiring investigators to follow the trail across multiple networks.
Time delays present another challenge. Lazarus Group sometimes waits months or even years between laundering stages, which requires sustained monitoring resources. Additionally, the increasing use of decentralized exchanges for conversion — rather than centralized services that collect KYC information — reduces the number of identity-linked data points available to investigators.
When standard tracing methods fail, investigators rely on behavioral pattern analysis. The Lazarus Group has distinctive operational signatures: specific transaction amounts, timing patterns, and preferred tools. Matching these signatures across different hacks is often more productive than trying to trace individual transactions through privacy protocols.
Mastering the Skill
Advanced asset tracing in cryptocurrency is a multidisciplinary skill that combines blockchain technical knowledge, data analysis, financial investigation techniques, and an understanding of criminal operational patterns. The Harmony Horizon Bridge case demonstrates that the technology to trace even sophisticated laundering operations exists — but it requires expertise, persistence, and international cooperation.
For those looking to develop these skills professionally, certifications in blockchain forensics and cryptocurrency investigation are increasingly available. Open-source tools like Etherscan’s label database and various on-chain analytics dashboards provide starting points for self-directed learning. The key insight from the Harmony investigation is that blockchain’s transparency, paradoxically, makes it both an attractive target for thieves and a powerful tool for investigators. Every transaction is permanently recorded — and with the right techniques, even the most determined efforts to obscure the trail can be overcome.
Disclaimer: This article is for educational and informational purposes only. The techniques described should be used responsibly and in compliance with applicable laws and regulations.
tornado cash to railgun to bitcoin. the laundering pipeline is almost formulaic at this point
formulaic but it still works often enough. the problem is when they hit dex aggregators and its game over for tracing
DEX aggregators are the dead end for tracing. once funds hit 1inch or paraswap and get split across 10 liquidity pools its basically gone
tornado -> railgun -> btc. playbooks get stale and chainalysis adapts. its a constant cat and mouse
laundering pipeline IS formulaic because it works. the real challenge for investigators starts when they hit DEX aggregators and cross-chain bridges
The investigative methodology section is excellent. Anyone working in compliance should study this chain of custody breakdown.
the compliance breakdown here is solid. required reading for anyone working in AML for crypto firms
required reading is right. the chain of custody breakdown from Harmony through Tornado to Railgun to BTC is a textbook example for AML training
$100M traced through multiple privacy protocols and they still caught the trail. Blockchain analytics has gotten scary good.