Crypto money laundering is aimed at obscuring the criminal origins of funds so criminals can access and spend them. That tends to mean moving crypto funds to services to convert them into cash and involves additional measures to hide the source.
Crypto money laundering is down by $9B in one year
$31.5 billion was sent from illegal addresses in 2022, but a year later, that number was down to $22.2 billion, according to Chainalysis’s report on crypto money laundering, published on their blog. Part of this decline results from an overall drop in crypto transaction volume, both legal and illegal.
Changes in the methods of crypto money laundering
There were substantial changes in some areas if we are to look at how specific types of entities perpetrated crypto money laundering. This included a significant increase in the volume of funds sent to cross-chain bridges.
Gambling platforms and cross-chain bridges also received a lot more funds from ransomware than in the previous year. Last year, 109 cryptocurrency addresses at exchanges received a collective $3.4 billion in illegal crypto. This is up from 2022, when 40 addresses received just under $2.0 billion.
Difference by criminal type
There were differences by criminal type in terms of crypto money laundering concentration. For example, the concentration was very high among child sexual abuse material (CSAM) distributors and ransomware operators. Seven deposit addresses accounted for over half of all the value exchanges received from CSAM distributors. Nine addresses comprised over half of the funds from ransomware. Crypto money laundering concentration was much lower for darknet markets and scams.
How did malicious actors adjust their strategies?
Criminals perpetrating crypto money laundering who have more sophisticated blockchain skills, like the notorious North Korean cybercriminal gang Lazarus Group, tend to use a wider variety of crypto protocols and services. These malicious entities adjusted their crypto money laundering strategies in two main ways.
The first was by using a new crypto mixer after US authorities sanctioned Sinbad in November 2023. Allegedly, the mixer had processed crypto worth millions on behalf of the North Korean hackers, including proceeds from major heists such as Horizon Bridge and Axie Infinity.
The second was using cross-chain bridges to “chain-hop.”
Out with Sinbad, in with YoMix
There was an overall decline in funds sent from illegal addresses to perpetrate crypto money laundering from 2022 when the amount was $1.0 billion. A year later, it had fallen to $504.3 million. Regulatory and law enforcement efforts accounted for this trend. However, Lazarus Group and other sophisticated cybercriminals adapted their mixer usage.
In 2022, Sinbad was the mixer of choice for North Korea-affiliated hackers. Previously, this had been Tornado Cash, which was also sanctioned by authorities. Subsequently, its creators were charged with crypto money laundering. YoMix, a crypto mixer running on the Bitcoin blockchain, took Sinbad’s place. It saw huge growth last year overall. Its inflow increased more than fivefold for the year. Around a third of this came from addresses linked to crypto hacks and crypto money laundering.
Lazarus Group’s war on the crypto space
Lazarus Group is believed to be behind the Ronin bridge exploit, in which $625 million was stolen from Axie Infinity. The monumental hack took place in March 2022 and was the biggest one in the history of cryptocurrency. Insiders reported that Lazarus Group waged a multibillion-dollar war on entities in the crypto space, with the proceeds being used to fund North Korea’s arms program.
Lazarus Group, a key player on the crypto money laundering scene, was also implicated in the attack on crypto lender Euler Finance, which was hacked for $200 million in crypto. Lazarus sent the Euler exploiter an on-chain note asking that they decrypt an encrypted message. According to Euler developers, the note was a phishing scam trying to steal the credentials for the Euler hacker’s wallet.
What was Twitter at the time went abuzz with news of the unusual exchange between the crypto hackers, raising the alarm at Euler Finance, who had been trying to recover the hundreds of millions.
Lazarus was also involved in the breach of crypto payment gateway CoinsPaid early this year, in which the platform lost almost $7.5 million after a series of unauthorized transactions.
Weaknesses of cross-chain bridges
Cross-chain bridges let entities move funds between blockchains, including to perpetrate crypto money laundering and perhaps especially so. Anyone can generally access these smart contracts, although a bridge could theoretically implement a blacklist. All the activity takes place on the blockchain, making it possible for analysts to trace the funds because no centralized platform takes custody of them.
In 2023, illicit entities’ use of cross-chain bridge protocols for purposes of crypto money laundering grew substantially. Bridges received more than double the crypto from illegal addresses that they had received in 2022 – $743.8 million compared to just $312.2 million. Bridges were mostly used by North Korea-affiliated hackers for crypto money laundering.
In May 2023, funds associated with the 2022 hack of L1 blockchain Harmony were moved to a popular bridge protocol. The cybercriminals moved them from the Bitcoin blockchain to the Avalanche blockchain, then exchanged them for a stablecoin, and then moved them from the Avalanche blockchain to TRON.
At the time, Harmony Protocol was offering a bounty of $1 million for information about the incident on its Horizon bridge, where around $100 million in USD Coin, Wrapped Ethereum (WETH), SUSHI, AAVE, DAI, and Tether (USDT) was stolen.
Sophisticated criminals are notoriously adaptive. Solutions?
The changes in crypto money laundering strategies on the part of Lazarus Group and other sophisticated criminals remind all stakeholders of how adaptive they are. Compliance and law enforcement teams should study these new crypto money laundering methods to become familiar with the respective blockchain patterns.
The Office of Foreign Assets Control (OFAC) has issued a list of sanctioned crypto wallet addresses, which allows crypto platforms to block transactions involving them. Bridges also need to implement stricter protective measures to prevent crypto money laundering.