As the U.S. government seeks to seize approximately $2.67 million worth of cryptocurrency stolen in two major hacks, two recent forfeiture lawsuits filed by the U.S. Attorney for the District of Columbia shed new light on how North Korean cryptocurrency hackers launder funds. Details have been revealed.
The forfeiture complaint, first filed on Friday, alleges that the North Korea-linked Lazarus Group’s $28 million hack of cryptocurrency options exchange Deribit in November 2022 resulted in the receipt of approximately $1.70 worth of Tether (USDT) tracked through the Tornado Cash Mixer. ) and aims to recover about $15.50 worth of avalanches. A group hacked the $41 million online cryptocurrency casino Stake.com, securing approximately $971,000 worth of Bridge Bitcoin (BTC.b) at current prices.
From Derivit to Tornado
The first of the two reports concerns the Lazarus Group’s methods of laundering funds from the Deribit hack through cryptocurrency mixer Tornado Cash, a service at the center of an upcoming money laundering trial closely watched by cryptocurrency advocates. Law enforcement was able to track down some of the $28 million in funds laundered in the theft after North Korean hackers accessed Deribit’s hot wallet servers to exchange assets for Ethereum and transfer them through Tornado Cash, eventually converting them to Tether. . As shown in the diagram in the filing, it is a stablecoin on the Tron blockchain.
Law enforcement officials traced the funds through Tornado by noting similarities between certain Ethereum wallets. The wallets received transfers at similar times (within minutes of each other), utilized similar cross-chain bridges, received funds for transaction fees from the same address, and eventually held the funds at the same integrated address.
Hackers attempted to convert Ethereum assets to USDT on three separate occasions. The first two money laundering attempts were halted when law enforcement froze some of the funds in question. In a third attempt, the hackers successfully laundered the remaining funds, leading law enforcement to freeze approximately $1.7 million USDT in five associated wallets.
From Stake.com to Sinbad and Yonmix
The second filing concerns the $41 million hack of the Lazarus Group’s online casino Stake.com and its attempt to launder funds in three stages. Converting funds to BTC via Avalanche’s Bitcoin bridge, and moving stolen BTC through Bitcoin mixers Sinbad and Yonmix. Finally, convert Bitcoin to a stablecoin such as USDT. The funds involved were frozen in phases 1 through 3, which is believed to be an asset freeze request for the Avalanche Bridge.
In Phase 1, law enforcement typically converts stolen assets into native tokens, such as Polygon’s MATIC tokens and Binance Smart Chain’s BNB tokens, and then freezes the assets in seven transactions, linking that value to Bitcoin via the Avalanche Bridge. I did it. However, despite the government’s intervention, “North Korea was able to transfer the majority of the stolen funds to the BTC blockchain,” the document states.
In Bitcoin, hackers used mixers Sinbad and Yonmix, which offer services similar to Ethereum’s Tornado Cash, to further obfuscate the movement of stolen funds. “Law enforcement traced the flow of stolen funds through two hybrid services to the next stage of the North Korean hackers’ laundering process,” it states, but despite identifying the integrated wallet, officials only received an additional .099 BTC. I was able to retrieve it. , worth about $6,270 at current prices.
Even as law enforcement agencies have improved their ability to track and seize illicit cryptocurrencies, the Lazarus Group remains active and the group was recently blamed for the $230 million attack on Indian cryptocurrency exchange WazirX. I received it.
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2024 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.