Despite sanctions on crypto mixing services, the bad actors behind January’s biggest breach have deposited millions worth of funds into Tornado Cash.

The alleged mastermind behind the $6 million exploit of decentralized finance (DeFi) lending protocol Lendhub has just wired more than half of the ill-gotten gains from January to sanctioned crypto mixer Tornado Cash.

Blockchain security firms PeckShield and Beosin alerted their respective followers to the movement of funds on February 27, noting that approximately 2,415 ether

About $3.85 million worth of Ethereum was sent to Tornado Cash from wallets associated with the January 12 breach.

PeckShield previously reported that the LendHub exploit was the largest in January, stealing $6 million from the protocol.

On-chain intelligence firm Beosin said on Twitter that the latest movement means that the attacker has sent a total of 3,515.4 ETH to Tornado Cash since January 13, currently worth more than $5.7 million.

Recent moves by the exploit wallet have seen funds sent to Tornado Cash in 100 ETH chunks, then moved to smaller deposits. Source: Etherscan

Tornado Cash is a cryptocurrency mixing service that attempts to anonymize Ethereum transactions by combining large amounts of Ether before depositing the payments to other addresses.

The service was sanctioned by the U.S. Office of Foreign Assets Control (OFAC) on August 8, 2022, for its alleged involvement in laundering criminal proceeds.

Despite the sanctions and the service’s website being shut down, Tornado Cash is still able to operate and be used because it is a smart contract that lives on a decentralized blockchain.

Blockchain analytics firm Chainalysis said in a January report that hacks and scams once accounted for about 34% of all inflows to mixers, with inflows sometimes reaching around $25 million a day, but fell 68% in the 30 days after the sanctions.

Related: Cryptocurrency-related enforcement actions rise sharply in U.S. states in 2022: report

Bad actors in the space continue to frequently use the service, most recently with developers behind an Arbitrum-based DeFi project moving over $1.86 million in ill-gotten cryptocurrency Tornado Cash on Feb. 20.

The notorious North Korean hacker group, the Lazarus Group, frequently sends large amounts of funds to mixers like Tornado Cash and Sinbad.

A Chainalysis report from early February said funds used by North Korean hackers “moved to mixers at a much higher rate than funds stolen by other individuals or groups.”