The US is intensifying efforts to confiscate around $2.67 million worth of cryptocurrency from major hacks linked to Lazarus Group, an infamous cybercriminal organization believed to be based in North Korea.
Cryptocurrency mixers like Tornado Cash and Sinbad are used by the criminal group to launder stolen funds. Sadly, there are bad people out there.
According to two forfeiture complaints filed by the District of Columbia’s U.S. Attorney, the $2.67 million stolen funds are linked to the Deribit hack (around $1.7 million ) and the Stake.com’s exploit ($970,000).
As detailed, the Deribit hack, which happened in November 2022, led to a loss of approximately $28 million. The attackers, identified as the Lazarus Group, accessed Deribit’s hot wallet and swapped the stolen funds to Ethereum.
North Korea is Wild
Hackers later transferred the Ethereum tokens to Tornado Cash, a known cryptocurrency mixer, in an attempt to launder the funds and convert it to USDT. Law enforcement traced some of the stolen funds after identifying hackers’ transactions and wallets.
Some funds were frozen during the laundering process, recovering about $1.7 million in USDT. As of now, Deribit continues to operate and has stated that it remains in a financially sound position despite the hack.
The second exploit targeting Stake.com, an online cryptocurrency casino, occurred last September. Hackers, using the same hot wallet tactic, stole $41 million and converted the stolen funds to Bitcoin using Avalanche Bridge.
They also tried to launder the BTC through Sinbad and Yonmix, similar cryptocurrency mixing services to Tornado Cash. US authorities reportedly froze assets during the conversion and after mixing, as well as recovered around $970,000 worth of Avalanche-bridged Bitcoin.
Tracking Down Hackers
Last month, the FBI issued a warning on North Korean hackers. These criminal entities have intensively targeted Web3 and DeFi employees to gain access to personal information and steal cryptocurrencies, using advanced techniques like social engineering and spear phishing.
The FBI also warned about the increasing integration of traditional financial institutions into the cryptocurrency space through exchange-traded funds (ETFs), which makes them attractive targets for those hackers.
The UN Security Council reported earlier this year that North Korean cybercriminals pilfered about $3 billion by targeting crypto firms to fuel their weapons programs, tracing numerous attacks back to the Lazarus Group.
The Lazarus Group has been named as the criminal organization behind numerous security breaches in the cryptocurrency sector. The group is suspected to be behind the hack of DMM Bitcoin in May this year, which resulted in the theft of over 4,500 Bitcoin, valued at around $305 million at the time of incident.
On-chain sleuth ZachXBT discovered some similarities in the laundering techniques used by the DMM Bitcoin hackers and those typically employed by Lazarus Group. The group was also said to be involved in the WazirX exchange exploit, also one of the largest hacks targeting major trading platforms this year.
Cryptocurrency mixers, such Tornado Cash, are commonly used in hacks primarily for the purpose of obfuscating the origins and ownership of stolen funds. Their ability to blend the cryptocurrencies of multiple users makes it difficult to trace the source of funds, but helps cybercriminals who want to hide their identities and avoid detection by law enforcement agencies.
The US authorities are focusing on how hackers launder stolen crypto, targeting services like Tornado Cash. Law enforcement has improved its ability to track and recover stolen funds, but challenges remain as hackers continue to adapt their tactics to cope with that.
Following sanctions on popular mixing services like Tornado Cash Sinbad, hackers have diversified their use of mixers to maintain their operational effectiveness. Lazarus was said to have shifted to using the YoMix mixer following sanctions against the Sinbad mixer.