Two recent forfeiture actions filed by the U.S. Attorney for the District of Columbia have uncovered new details about how North Korean crypto hackers launder their funds, as the U.S. government seeks to seize about $2.67 million worth of cryptocurrency stolen in two major hacks.
The forfeiture complaints, first filed on Friday, aim to recover about $1.7 worth of Tether (USDT) traced through the Tornado Cash mixer from the North Korean-linked Lazarus Group's $28 million hack of crypto options exchange Deribit in November 2022 and about 15.5 Avalanche-bridged Bitcoin (BTC.b) worth about $971,000 at current prices from the group's $41 million hack of online crypto casino Stake.com.
The first of the two filings concerns the Lazarus Group's methods of laundering money from the Deribit hack through crypto mixer Tornado Cash, the service at the heart of an upcoming money laundering trial watched closely by crypto advocates. Law enforcement was able to trace some of the $28 million in funds laundered from the theft, which occurred after North Korean hackers obtained access to Deribit's hot wallet server, swapped the assets to Ethereum, and sent them through Tornado Cash to eventually wind up as Tether stablecoins on the Tron blockchain, as shown in a diagram from the filing.
Law enforcement officials traced the funds through Tornado by noting similarities between certain Ethereum wallets. The wallets received similarly-timed transfers (within minutes of each other), utilized similar cross-chain bridges, received funding for transaction fees from the same address, and held funds which eventually wound up in the same consolidation addresses.
The hackers attempted to convert the Ethereum assets to USDT in three waves, as the first two attempts to launder the funds were halted when law enforcement froze some of the funds in question. The third attempt saw the hackers successfully launder the remainder of the funds, leaving law enforcement with about $1.7 million in USDT frozen from five relevant wallets.
The second filing concerns the Lazarus Group's $41 million hack of online casino Stake.com and their attempt to launder the funds in three stages: the conversion of the funds into BTC through Avalanche's Bitcoin bridge, moving the stolen BTC through Bitcoin mixers Sinbad and Yonmix, and finally converting the Bitcoin into stablecoins such as USDT. The relevant funds were frozen during the first and third stages, likely through asset freeze requests to Avalanche Bridge.
During stage one, law enforcement froze assets from seven transactions that generally involved converting stolen assets into native tokens such as Polygon's MATIC tokens and Binance Smart Chain's BNB tokens and then bridging that value to Bitcoin through the Avalanche Bridge. However, despite the government's intervention, "the North Koreans were able to transfer the majority of the stolen funds to the BTC blockchain," the filing states.
Once on Bitcoin, the hackers used mixers Sinbad and Yonmix, which provide a service similar to that of Tornado Cash on Ethereum, to further obfuscate the movement of the stolen funds. "Law enforcement traced the flow of the stolen funds through both mixing services to the next stage of the North Korean hackers’ laundering process," the filing states, though despite identifying the consolidation wallet the officials were only able to recover an additional .099 BTC, worth about $6,270 at current prices.
Although law enforcement has improved its ability to trace and seize illicit cryptocurrency, the Lazarus Group remains active, with the group recently blamed for Indian crypto exchange WazirX's $230 million exploit among other attacks.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
