In the ever-evolving saga of the KuCoin exchange hack — one of the largest cryptocurrency heists in history — the attacker has taken a bold new step. On October 23, 2020, blockchain analysts discovered that the hacker behind the $275 million KuCoin breach was actively using the Ethereum mixer Tornado Cash to launder stolen funds, moving millions of dollars worth of ETH through the privacy protocol in a calculated effort to cover their tracks.
TL;DR
- The KuCoin hacker sent approximately 11,520 ETH (roughly $4.8 million) to Tornado Cash mixer on October 23, 2020
- Analysts tracked 2,800–3,000 ETH ($1.16–$1.25 million) already mixed in batches of 100 ETH
- The hacker’s wallet still held around 8,517 ETH ($3.55 million) pending transfer
- The laundering process involves converting stolen ERC-20 tokens to ETH via Uniswap and Kyber Network before mixing
- The Block analyst Larry Cermak believes the public nature of the transactions may actually aid law enforcement
The Hack That Shook the Crypto World
The original breach occurred on September 25, 2020, when hackers exploited KuCoin’s hot wallets and made off with more than $275 million in various cryptocurrencies. The attack immediately ranked among the top three largest exchange hacks in crypto history at the time, sending shockwaves through the community and raising fresh questions about centralized exchange security.
KuCoin’s CEO Johnny Lyu addressed the incident in a livestream the following day, assuring users that the exchange would cover all losses through its insurance fund. The exchange gradually resumed services as the investigation unfolded, but the trail of stolen funds continued to develop in the weeks that followed.
Following the Money Through Tornado Cash
On October 23, Larry Cermak, Director of Research at The Block, revealed that the KuCoin hacker had begun routing significant amounts of stolen Ethereum through Tornado Cash, a decentralized privacy protocol on the Ethereum network. The mixer works by pooling deposits from multiple users and redistributing them, making it extremely difficult to trace the origin of specific funds.
According to Cermak’s analysis, the attacker transferred approximately 11,520 ETH — worth roughly $4.8 million at the time — into Tornado Cash. Of that amount, between 2,800 and 3,000 ETH (approximately $1.16 to $1.25 million) had already been processed through the mixer in methodical batches of 100 ETH each. The hacker’s primary wallet still held approximately 8,517 ETH, equivalent to about $3.55 million, suggesting the laundering operation was far from over.
A Sophisticated Laundering Pipeline
Blockchain researchers pieced together the hacker’s entire money movement strategy, revealing a multi-step process designed to maximize obfuscation:
- Token Theft: Steal ERC-20 tokens directly from KuCoin’s compromised wallets
- Conversion: Swap the stolen tokens for ETH using decentralized exchanges like Uniswap and Kyber Network
- Dispersal: Distribute the ETH across multiple wallet addresses to complicate tracking
- Mixing: Feed the ETH through Tornado Cash to break the on-chain trail
- Cash Out: Eventually convert the mixed ETH to fiat currency through various means
This pipeline highlights a growing concern in the DeFi ecosystem: the same decentralized protocols designed for financial freedom can also serve as tools for money laundering when exploited by bad actors.
Analyst Reactions and Implications
Developer Udi Wertheimer noted that if the hacker continued at the current pace, they could eventually control as much as a third of Tornado Cash’s total mixing pool — a concentration that would be notable in its own right. However, Cermak offered a counterpoint, suggesting that the hacker’s use of Tornado Cash from a publicly identifiable address might actually work against them.
“Very high likelihood of [them being caught],” Cermak wrote, characterizing the approach as a “horrific” operational security failure. The transparency of blockchain transactions means that even when mixers are employed, patterns can emerge that help investigators follow the money trail over time.
This incident also underscored a broader tension in the cryptocurrency space between privacy and transparency. Tornado Cash and similar protocols exist to provide legitimate financial privacy for users, but high-profile cases like the KuCoin hack inevitably draw regulatory scrutiny and could influence future legislation around privacy-preserving technologies.
Why This Matters
The KuCoin hack and its aftermath represent a critical case study in crypto security and the cat-and-mouse game between hackers and investigators. At the time of these transactions, Bitcoin was trading at approximately $12,931 and Ethereum at around $409.77, with the broader crypto market capitalization exceeding $300 billion. The incident demonstrated both the vulnerabilities of centralized exchanges and the double-edged nature of DeFi infrastructure. For users, it served as a stark reminder of the importance of self-custody and due diligence when choosing where to store digital assets. For the industry, it highlighted the urgent need for better security practices across both centralized and decentralized platforms.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making any investment decisions.
chainalysis is getting better at tracing tornado outputs these hackers days are numbered no matter how many mixers they use
The investigation taking this long shows how complex cross-chain laundering has become. Exchanges need better hot wallet security plain and simple.
Tornado Cash being the go-to for every major hack shows why privacy tools need better guardrails. The protocol is neutral but the usage pattern is damning.
KuCoin hack was one of the more sophisticated ones. The laundering through Tornado was almost textbook at this point.