SlowMist AML: Tracking funds laundered by Tornado Cash

Incident Overview

What is Tornado.Cash ?

The Transfer in

Tracking the funds

  1. A large amount of ETH is deposited into Tornado.Cash, which will collectively exhibit some traceable characteristics.
  2. Based on the analysis of the behavior of hackers eager to use the exchange to realize cash, it is speculated that the hacker will withdraw the funds immediately after depositing the funds in Tornado.Cash, or withdraw the funds at the next deposit.
  3. If that’s the case, we can monitor all withdrawals that happened after the original deposits have been made.
  1. Using the approach mentioned above, we can assume that the time frame for withdrawals should be similar or close to the time frames for when the hacker made deposits into Tornado.Cash.
  2. The fund’s withdrawal from Tornado.Cash will also be deposited into the same address during that time frame.

Let’s verify this theory




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store