The U.S. Justice Department has filed forfeiture actions for $2.67 million worth of cryptocurrency in the form of Tether stablecoins and Avalanche-bridged Bitcoin (BTC.b) the government says was frozen during attempts by North Korean hackers to launder the funds.
The government has recovered about $1.7 million worth of Tether from the Deribit hack in Nov. 2022 and about $970,000 worth of BTC.b from the Stake.com hack in Sept. 2023.
Two recent forfeiture actions filed by the U.S. Attorney for the District of Columbia have uncovered new details about how North Korean crypto hackers launder their funds, as the U.S. government seeks to seize about $2.67 million worth of cryptocurrency stolen in two major hacks.
The forfeiture complaints, first filed on Friday, aim to recover about $1.7 worth of Tether (USDT) traced through the Tornado Cash mixer from the North Korean-linked Lazarus Group’s $28 million hack of crypto options exchange Deribit in November 2022 and about 15.5 Avalanche-bridged Bitcoin (BTC.b) worth about $971,000 at current prices from the group’s $41 million hack of online crypto casino Stake.com.
The first of the two filings concerns the Lazarus Group’s methods of laundering money from the Deribit hack through crypto mixer Tornado Cash, the service at the heart of an upcoming money laundering trial watched closely by crypto advocates. Law enforcement was able to trace some of the $28 million in funds laundered from the theft, which occurred after North Korean hackers obtained access to Deribit’s hot wallet server, swapped the assets to Ethereum, and sent them through Tornado Cash to eventually wind up as Tether stablecoins on the Tron blockchain, as shown in a diagram from the filing.
Law enforcement officials traced the funds through Tornado by noting similarities between certain Ethereum wallets. The wallets received similarly-timed transfers (within minutes of each other), utilized similar cross-chain bridges, received funding for transaction fees from the same address, and held funds which eventually wound up in the same consolidation addresses.
The hackers attempted to convert the Ethereum assets to USDT in three waves, as the first two attempts to launder the funds were halted when law enforcement froze some of the funds in question. The third attempt saw the hackers successfully launder the remainder of the funds, leaving law enforcement with about $1.7 million in USDT frozen from five relevant wallets.
The second filing concerns the Lazarus Group’s $41 million hack of online casino Stake.com and their attempt to launder the funds in three stages: the conversion of the funds into BTC through Avalanche’s Bitcoin bridge, moving the stolen BTC through Bitcoin mixers Sinbad and Yonmix, and finally converting the Bitcoin into stablecoins such as USDT. The relevant funds were frozen during the first and third stages, likely through asset freeze requests to Avalanche Bridge.
During stage one, law enforcement froze assets from seven transactions that generally involved converting stolen assets into native tokens such as Polygon’s MATIC tokens and Binance Smart Chain’s BNB tokens and then bridging that value to Bitcoin through the Avalanche Bridge. However, despite the government’s intervention, “the North Koreans were able to transfer the majority of the stolen funds to the BTC blockchain,” the filing states.
Once on Bitcoin, the hackers used mixers Sinbad and Yonmix, which provide a service similar to that of Tornado Cash on Ethereum, to further obfuscate the movement of the stolen funds. “Law enforcement traced the flow of the stolen funds through both mixing services to the next stage of the North Korean hackers’ laundering process,” the filing states, though despite identifying the consolidation wallet the officials were only able to recover an additional .099 BTC, worth about $6,270 at current prices.
Although law enforcement has improved its ability to trace and seize illicit cryptocurrency, the Lazarus Group remains active, with the group recently blamed for Indian crypto exchange WazirX’s $230 million exploit among other attacks.