The U.S. government has initiated forfeiture actions to reclaim about $2.67 million in cryptocurrency associated with North Korean hackers from the Lazarus Group. These actions unveil the group's tactics for laundering stolen funds through crypto mixers such as Tornado Cash.
Recently filed complaints by the U.S. Attorney for the District of Columbia target two significant hacks. The first hack involved $28 million stolen from the crypto options exchange Deribit in November 2022, where approximately $1.7 million in Tether (USDT) was traced through Tornado Cash. The second hack involved $41 million taken from the online casino Stake.com, leading to the recovery of about $971,000 worth of Avalanche-bridged Bitcoin (BTC.b).
Law enforcement tracked the funds from the Deribit hack by analyzing patterns in Ethereum wallet transactions. The hackers converted stolen assets into Ethereum, laundered through Tornado Cash, and ultimately converted them into Tether stablecoins on the Tron blockchain.
The Stake.com hack involved multiple stages of laundering, beginning with converting stolen funds into BTC through Avalanche's Bitcoin bridge. The stolen BTC was then mixed using services like Sinbad and Yonmix before finally being converted into stablecoins.
Despite law enforcement's efforts to trace and seize illicit cryptocurrency, the Lazarus Group remains a significant threat, recently linked to the $230 million exploit of Indian crypto exchange WazirX, among other attacks.