Suspected actors who exploited the decentralized finance (DeFi) lending protocol Lendhub in January have moved more than half of their stolen funds, worth around $3.85 million, to sanctioned crypto mixer Tornado Cash.

This was revealed by blockchain security firms PeckShield and Beosin, who noted that the funds were sent from a wallet connected to the Jan. 12 exploit. The move follows a total of 3,515.4 ETH, worth over $5.7 million, sent to Tornado Cash by the exploiter since January 13.

Tornado Cash is a crypto mixing service that anonymizes Ethereum transactions by combining large amounts of Ether before depositing the sums to other addresses.

However, the service was sanctioned in August 2022 by the United States Office of Foreign Assets Control (OFAC) for its alleged role in the laundering of crime proceeds.

Despite the sanctions and the website for the service being taken down, Tornado Cash can still run as it is a smart contract housed on a decentralized blockchain.

A report by blockchain analytics firm Chainalysis in January revealed that hacks and scams once contributed to around 34% of all inflows to the mixer, with inflows sometimes reaching around $25 million per day. However, the 30 days following the sanctions saw a 68% drop in inflows.

PeckShield previously reported that the Lendhub exploit was the largest in January, with $6 million stolen from the protocol.

The movement of funds to Tornado Cash highlights the challenges facing regulators and law enforcement in cracking down on the use of crypto mixers for illicit activities.