Comment
Author: Admin | 2025-04-27
Bridges and mixersA big share of crypto money laundering activity is relatively unsophisticated, and consists of bad actors simply sending funds directly to exchanges. We can see this on the Chainalysis Reactor graph below, which shows the now-defunct phone number spoofing service iSpoof — which facilitated over £100 million in scamming activity before being shut down by law enforcement — sending millions in Bitcoin directly to a group of deposit addresses at a centralized exchange.However, crypto criminals with more sophisticated on-chain laundering skill sets —such as the notorious North Korean cybercriminals associated with hacking gangs like Lazarus Group — tend to utilize a greater variety of crypto services and protocols. Below, we’ll look at two important ways sophisticated bad actors adjusted their money laundering strategy, illustrated through examples from Lazarus Group:Use of a new mixer following Sinbad’s takedown and OFAC designationChain hopping via cross-chain bridgesLet’s look at both below.New mixer: YoMix takes over for SinbadOverall, 2023 saw a decline in funds sent to mixers from illicit addresses, from $1.0 billion in 2022 to $504.3 million in 2023. Much of this is likely due to law enforcement and regulatory efforts, such as the sanctioning and shutdown of mixer Sinbad in November 2023. But sophisticated cybercriminal groups like Lazarus Group have adapted their mixer usage. As we covered in last year’s Crypto Crime Report, Sinbad became a preferred mixer for North Korea-affiliated hackers in 2022, soon after the sanctioning of Tornado Cash, which had previously been the go-to for these sophisticated cybercriminals. With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement. We can see an example of this on the Reactor graph below, which shows a wallet associated with North Korean hacking activity receiving funds from YoMix, whereas it had previously received funds from Sinbad.Overall, YoMix saw huge growth in 2023, with inflows growing by more than 5x over the course of the year.Based on Chainalysis data, roughly one third of all YoMix inflows have come from wallets associated with crypto hacks. The growth of YoMix and its embrace by Lazarus Group is a prime example of sophisticated actors’ ability to adapt and find replacement obfuscation services when previously popular ones are shut down.Use of cross-chain bridges Cross-chain bridges allow users to move funds from one blockchain to another. Generally, anyone can access these smart contracts, although in theory a bridge could implement a blacklist. All of
Add Comment