Two recent forfeiture actions filed by the U.S. Attorney for the District of Columbia have shed light on how North Korean hackers, linked to the notorious Lazarus Group, launder stolen cryptocurrency. The U.S. government is seeking to seize approximately $2.67 million in stolen cryptocurrency from two major hacks, revealing sophisticated laundering methods involving mixers, cross-chain transfers, and stablecoins.
Recovering Stolen Crypto: Key Details
The forfeiture complaints, filed on Friday, target $1.7 million worth of Tether (USDT) linked to the Lazarus Group’s $28 million hack of crypto exchange Deribit and 15.5 Avalanche-bridged Bitcoin (BTC.b) worth about $971,000 from their $41 million hack of Stake.com, an online crypto casino.
Deribit Hack: Laundering Through Tornado Cash
The first forfeiture filing details how the Lazarus Group laundered funds stolen from Deribit through Tornado Cash, a crypto mixer under scrutiny for facilitating money laundering. After North Korean hackers breached Deribit’s hot wallet server, they swapped the stolen assets to Ethereum and sent them through Tornado Cash to obscure the origin of the funds. Eventually, these assets were converted into Tether (USDT) on the Tron blockchain.
U.S. law enforcement was able to trace the funds by identifying patterns in the Ethereum wallets involved. The wallets exhibited similarly-timed transfers, cross-chain bridges, and transaction fees sourced from the same address, ultimately leading to consolidation addresses. Despite attempts to launder the assets in three stages, law enforcement successfully froze approximately $1.7 million in USDT from five key wallets involved in the laundering process.
Stake.com Hack: BTC Mixing Through Sinbad and Yonmix
The second forfeiture action focuses on the Lazarus Group’s $41 million hack of Stake.com, where the group laundered stolen funds through multiple steps, including using the Avalanche Bitcoin bridge, Bitcoin mixers Sinbad and Yonmix, and finally converting the Bitcoin into stablecoins like USDT.
Initially, law enforcement froze assets linked to seven transactions, which involved converting stolen assets into tokens like Polygon’s MATIC and Binance’s BNB before bridging them to Bitcoin through the Avalanche Bridge. However, the majority of the stolen funds still made it onto the Bitcoin blockchain.
Once on Bitcoin, the hackers utilized Sinbad and Yonmix, mixers designed to obscure Bitcoin transactions, further complicating efforts to trace the funds. Although law enforcement tracked the flow of funds through these mixers, only an additional 0.099 BTC (about $6,270) was recovered.
Persistent Threat from Lazarus Group
While these actions highlight the improved ability of law enforcement to trace and seize illicit cryptocurrency, the Lazarus Group remains an active threat in the crypto space. The group has been linked to various high-profile attacks, including the $230 million exploit of Indian crypto exchange WazirX.
As the U.S. government continues to pursue such cases, it is clear that North Korean hackers are employing increasingly sophisticated laundering techniques. However, law enforcement efforts to track, freeze, and recover stolen assets are also becoming more effective, marking a significant step in the ongoing battle against crypto-related cybercrime.
