North Korean Crypto Hackers’ Laundering Methods Uncovered

Two recent forfeiture actions by the U.S. Attorney for the District of Columbia reveal how North Korean crypto hackers launder funds, as the U.S. seeks to seize about $2.67 million in stolen cryptocurrency.

Details of Forfeiture Actions

The forfeiture complaints, filed Friday, aim to recover:
– About $1.7 million worth of Tether (USDT) traced through Tornado Cash from the North Korean-linked Lazarus Group’s $28 million hack of crypto options exchange Deribit in November 2022.
– Approximately 15.5 Avalanche-bridged Bitcoin (BTC.b) valued at around $971,000, linked to the group’s $41 million hack of online casino Stake.com.

From Deribit to Tornado

The first filing addresses the Lazarus Group’s laundering methods from the Deribit hack via the crypto mixer Tornado Cash. Law enforcement traced the $28 million stolen after North Korean hackers accessed Deribit’s hot wallet, converted assets to Ethereum, and funneled them through Tornado Cash into Tether on the Tron blockchain.

Officials identified patterns in certain Ethereum wallets, noting similarities in timing, cross-chain bridge usage, and transaction fees from the same address. The laundering attempts occurred in three waves, with two being frozen by law enforcement, ultimately leaving about $1.7 million in USDT frozen from five wallets.

From Stake.com to Sinbad and Yonmix

The second filing involves the Lazarus Group’s $41 million Stake.com hack, which was laundered in three steps: converting stolen funds into BTC using Avalanche’s bridge, then using Bitcoin mixers Sinbad and Yonmix, and finally converting into stablecoins like USDT. Law enforcement froze some assets during these stages, particularly through the Avalanche Bridge.

During the first stage, assets from seven transactions were frozen while converting stolen items into native tokens (like Polygon’s MATIC and Binance’s BNB) before bridging to Bitcoin. Despite government intervention, most funds moved to the BTC blockchain.

Once the funds were on Bitcoin, the hackers utilized Sinbad and Yonmix to obscure their transference. While law enforcement traced the mixing services, they only managed to recover an additional 0.099 BTC, worth approximately $6,270.

Despite improved tracing and seizing capabilities, the Lazarus Group remains active, recently implicated in a $230 million exploit of Indian crypto exchange WazirX among other attacks.