North Korean Hackers Partner with YoMix to Launder Stolen Crypto
The notorious North Korean hacker group Lazarus, known for carrying out numerous large-scale cryptocurrency heists, has shifted to using the bitcoin mixer YoMix to launder stolen proceeds, according to a report from blockchain analysis company Chainalysis.
This decision comes after multiple bitcoin mixing services used by the threat actor were sanctioned by governments. Chainalysis has observed a significant increase in funds flowing into YoMix throughout 2023, attributed to Lazarus activity rather than an increase in popularity.
Lazarus is involved in various illicit activities, including funding North Korea’s weapons development program. Some of the group’s biggest cryptocurrency theft operations in recent years include the Ronin Network (Axie Infinity) hack in March 2022, resulting in $625 million in stolen funds, the Harmony Horizon hack in June 2022 with $100 million in losses, and the Alphapo heist in July 2023, which netted the hackers $60 million worth of crypto.
Reported data shows that from January 2017 to December 2023, North Korean hacking groups, including Lazarus, Kimsuky, and Andariel, have stolen an estimated $3 billion in cryptocurrency. The stolen money has been funneled through various coin mixing services that do not adhere to anti-laundering regulations and accept deposits from flagged wallets.
These mixers then transfer the assets through a network of cryptocurrency holders, ultimately making it difficult to trace the original attacks. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has previously identified and sanctioned several platforms used by Lazarus for money laundering, including Blender, Tornado Cash, and Sinbad. Now, Chainalysis identifies YoMix as the latest service used by the North Korean threat actor.
Chainalysis also reports a significant growth of funds in YoMix in 2023, with approximately one-third of all inflows coming from wallets associated with crypto hacks.
Additionally, the report notes a trend concerning the concentration of money laundering activities at a few fiat off-ramping services, with most illicit funds directed to just five services. However, at the deposit address level, money laundering became less concentrated, suggesting that criminals are diversifying their activities to avoid detection and asset freezing by law enforcement and compliance teams.
Other key findings from the report include a decrease in funds sent from flagged addresses to services, 109 exchange deposit addresses receiving over $10 million worth of illicit cryptocurrency each, and significant growth in cross-chain bridge utilization.
BleepingComputer has reached out to YoMix for comment but has not received a response at this time.
