Two recent forfeiture cases filed by the U.S. Attorney for the District of Columbia reveal new insights into how North Korean cryptocurrency hackers launder stolen funds.
Specifically, the U.S. government is moving to seize approximately $2.67 million in virtual currency associated with the Lazarus Group. These funds were stolen in two major hacks targeting Deribit and Stake.com.
The first forfeiture claim involves $1.7 million worth of Tether (USDT) that was discovered in November 2022 when Lazarus Group hacked crypto options exchange Deribit for $28 million.
North Korean hackers accessed Deribit’s hot wallet, exchanged the assets for Ethereum, funneled the assets through crypto mixer Tornado Cash, and ultimately converted them to USDT stablecoin on the Tron blockchain. Law enforcement traced the funds through similar wallet patterns and transaction timing and was able to freeze some of the stolen assets spread across multiple wallets.
The second filing covers a $41 million hack of crypto casino Stake.com, in which approximately $971,000 worth of 15.5 Avalanche Bridge Bitcoin (BTC.b) was laundered. Lazarus Group used Avalanche Bitcoin bridges and mixers such as Sinbad and Yonmix to hide the stolen funds, but law enforcement was able to freeze some of the assets.
Despite increased law enforcement efforts, Lazarus Group remains active and has recently been implicated in other high-profile hacks, including the $230 million WazirX exploit. has been.
WazirX suffered a security breach in July that resulted in over $100 million in Shiba Inu tokens and over $52 million in Ether being siphoned from a multi-signature wallet along with other assets. The stolen funds accounted for over 45% of WazirX’s total reported reserves in June 2024. Following the breach, the exchange filed for reorganization to address its debts.
WazirX’s legal advisor said it is unlikely that customers will recover the full amount of their assets in cryptocurrencies, with the chance of being refunded ranging from 55% to 57%.
