After sanctions were imposed on Tornado Cash and Sinbad was shut down following similar actions against the platform, Chainalysis revealed that YoMix, a Bitcoin mixer, has stepped in as an alternative for the North Korean Lazarus Group
Recent discoveries by the blockchain analysis firm show that a wallet linked to North Korean hacking operations received funds from YoMix, whereas it used to receive funds from Sinbad.
YoMix Emerges as Alternative Mixer Amidst Increased Crypto Laundering Activities
On Thursday, the leading blockchain analytics firm, Chainalysis, revealed in a report published that North Korean hackers associated with the notorious Lazarus Group have shifted to employing novel money laundering techniques and are increasingly utilizing cross-chain bridges to obfuscate the origins of illicitly obtained cryptocurrency funds.
The Lazarus Group, infamous for its involvement in numerous hacks targeting crypto companies and protocols such as Harmony, Coincheck, and Atomic Wallet, among others, has historically relied on services like the Tornado Cash mixing protocol and the Sinbad mixer. However, according to Chainalysis, the group has now transitioned to a new mixing service called YoMix.
Chainalysis noted a significant surge in funds flowing into YoMix throughout 2023, with inflows increasing fivefold. Alarmingly, approximately one-third of these funds originated from wallets associated with crypto hacks, indicating a significant reliance on the mixer by illicit actors seeking to obfuscate the origins of their funds.
The surge in YoMix usage highlights the adaptability of sophisticated threat actors in the face of evolving security measures and the closure of previously popular money laundering avenues. This surge in YoMix usage, coupled with its adoption by sophisticated cybercriminal groups, highlights the ability of such actors to adapt and find alternative laundering services amidst regulatory crackdowns.
Furthermore, Chainalysis observed a shift towards less centralized money laundering practices at the deposit address level, even as laundering activities became slightly more concentrated at the service level. This trend suggests that crypto criminals may be diversifying their laundering activities across multiple nested services or deposit addresses to evade detection by law enforcement and exchange compliance teams.
Crypto Money Laundering Tactics Exposed
In addition to adopting new mixing protocols, Lazarus Group hackers have also embraced the use of cross-chain bridges, which allow for the seamless transfer of cryptocurrency across different blockchain networks. Chainalysis reported that bridging protocols have become increasingly popular among cybercriminals, with $743.8 million worth of crypto from crime-related addresses being transferred through bridges in 2023, double the amount from the previous year.
North Korea-affiliated hackers have been particularly active in utilizing bridges for money laundering purposes, according to Chainalysis. Despite the decrease in total funds laundered through various platforms and services in 2023 compared to the previous year ($22.2 billion versus $31.5 billion), the use of cross-chain bridges and other obfuscation techniques remains prevalent among cybercriminals.
In general, Chainalysis observed a decline in the popularity of mixing services among cybercriminals, with such services receiving $504.3 million worth of crypto in 2023, down from $1 billion in 2022.
Chainalysis noted,
“Much of this is likely due to law enforcement and regulatory efforts, such as the sanctioning and shutdown of mixer Sinbad in November 2023.”
Instead, centralized exchanges continue to be the primary destination for illicit funds, with 71.7% of all illicit funds flowing to just five centralized platforms in 2023.
While the concentration of illicit funds remains significant, with 109 exchange deposit addresses receiving over $10 million each and a total of $3.4 billion laundered in 2023, Chainalysis noted that crypto criminals are diversifying their money laundering activities across multiple addresses and services to evade detection and mitigate the risk of asset freezing.
The report also noted differences in the level of concentration among different types of cybercrime. For example, vendors of ransomware and child sexual exploitation materials tend to concentrate their funds in a small number of deposit addresses, while online scammers and darknet vendors spread their illicit funds across various addresses to evade detection.
However, in November 2023, the U.S. Treasury sanctioned the crypto mixer Sinbad for alleged ties to North Korea’s hacking group, leading to the seizure of its website by the FBI, Dutch and Finnish authorities.