Key Takeaways
- North Korean hackers are shifting from crypto mixers to DeFi platforms for laundering funds.
- Experts say they rely on high-volume transactions to evade detection.
- The move highlights a decline in dependence on traditional crypto mixers.
For years, cybercriminals relied on crypto mixers to cover the origins of stolen funds.
These privacy-enhancing tools allowed them to break the link between sender and receiver, making it easier to cash out illicit gains.
However, as regulatory scrutiny around mixers intensifies, hackers are now turning to an alternative, decentralized finance (DeFi).
The recent $1.5 billion Bybit hack, attributed to North Korea’s Lazarus Group, has exposed how hackers are adapting their tactics.
Not only have they refined their methods for stealing funds, but they have also drastically altered their laundering strategies.
DeFi Bridges and DEXs Replace Crypto Mixers
Historically, the Lazarus Group used popular crypto mixers like Tornado Cash to launder funds. However, as governments crack down on these services, moving large sums through them has become increasingly difficult.
A recent report from blockchain intelligence firm TRM suggests that the sheer scale of Lazarus’ stolen funds—over $1.5 billion—has rendered mixers ineffective.
Instead, the group is using a web of DeFi protocols, including decentralized exchanges (DEXs) and cross-chain bridges, to obfuscate transactions.
One of the key platforms involved is ThorChain, a decentralized cross-chain exchange.
The Bybit hackers have already bridged at least $6.2 million of stolen Ethereum (ETH) to Bitcoin (BTC) through ThorChain. They are also swapping ETH for DAI using OKX’s Web3 Swap.
The influx of illicit funds has driven ThorChain’s trading volume to an all-time high, surpassing $1 billion in daily transactions.
Meanwhile, another non-KYC DEX, eXch, has processed nearly $30 million in trading volume since the stolen funds began moving on Feb. 23.
Bybit suspects eXch has facilitated the laundering of over $90 million but says the platform has refused to block transactions tied to the hack.
Tracking Stolen Funds Becomes More Difficult
As hackers become more sophisticated, tracking stolen crypto has become a game of cat and mouse. The Lazarus Group is using thousands of intermediary addresses, layering transactions across multiple blockchains to break transaction trails.
According to Nick Carlsen, a former FBI analyst and TRM’s North Korea expert, the Bybit exploit is a clear example of North Korea doubling down on its “flood the zone” strategy.
By moving funds in rapid succession across different platforms, hackers aim to overwhelm blockchain analytics firms, compliance teams, and law enforcement. This high-volume, high-frequency tactic makes it significantly harder to trace the flow of stolen crypto.
While some stolen assets remain in transit, a sizable portion appears to be sitting idle—likely awaiting liquidation through over-the-counter (OTC) networks.
North Korea’s shift toward DeFi and high-volume laundering techniques underscores how rapidly crypto criminals are evolving, leaving authorities racing to keep up.
Was this Article helpful?
Source link
