The U.S. government is seeking to seize approximately $2.67 million in cryptocurrency linked to two major hacks by North Korean cybercriminals, according to recent filings from the U.S. Attorney for the District of Columbia. These actions, filed last Friday, reveal how North Korea’s Lazarus Group laundered funds from high-profile attacks on crypto platforms through blockchain mixers, shedding light on the group’s sophisticated money-laundering tactics.
The seizures relate to two hacks: a $28 million breach of crypto options exchange Deribit in November 2022 and a $41 million theft from the online crypto casino Stake.com in September 2023. Law enforcement traced the stolen assets through blockchain mixing services, which are designed to obscure the origin of cryptocurrency transactions.
Tracing Stolen Funds: From Deribit to Tornado Cash
In one forfeiture filing, the U.S. government details how Lazarus hackers laundered $1.7 million in Tether (USDT) through Tornado Cash, a crypto mixer at the center of a significant money-laundering case. The funds came from the group’s $28 million hack of Deribit, where the hackers gained access to the platform’s hot wallet servers, swapped the assets to Ethereum, and funneled them through Tornado Cash. Law enforcement tracked these movements by identifying patterns in wallet activity, such as similarly-timed transactions and the use of cross-chain bridges.
The Lazarus Group made three attempts to convert the stolen assets to USDT. Though law enforcement managed to freeze funds during the first two attempts, the hackers successfully laundered the remainder during the third wave, leading to the freezing of about $1.7 million in USDT from five relevant wallets.
From Stake.com to Sinbad and Yonmix
The second filing focuses on Lazarus Group’s laundering of funds from the $41 million hack of Stake.com. The group’s method involved converting stolen funds into Bitcoin via Avalanche’s Bitcoin bridge, followed by the use of Bitcoin mixers Sinbad and Yonmix, which provide services similar to Tornado Cash on Ethereum. Law enforcement froze some assets early in the process, recovering around $971,000 in Bitcoin-bridged Avalanche (BTC.b) tokens.
Despite government intervention, the hackers managed to move the majority of the funds onto the Bitcoin blockchain. Once there, they used Sinbad and Yonmix to further obfuscate the trail of stolen funds. Although authorities successfully traced the funds through these mixing services, they were only able to recover an additional 0.099 BTC, worth about $6,270 at current prices.
Lazarus Group’s Continued Activity
The Lazarus Group remains a formidable force in cybercrime. Despite the recent seizures, the group continues to orchestrate large-scale hacks, including a $230 million exploit on Indian crypto exchange WazirX. Although law enforcement’s ability to trace and seize illicit crypto assets has improved, the group’s sophisticated laundering techniques make it difficult to recover the full amount of stolen funds.
These filings highlight the growing challenge of combatting crypto-based money laundering, as cybercriminals increasingly exploit blockchain technology and mixing services to cover their tracks.
