North Korean hacking group shifts to new crypto mixer after US sanctions, researchers reveal

By Kuksung Nam, The Readable
Feb. 16, 2024 8:28PM GMT+9

The Lazarus Group, widely recognized for its affiliations with the North Korean government, is reportedly shifting its focus towards a new cryptocurrency mixing service to launder its illicit proceeds. This development was highlighted by a United States-based blockchain analysis firm on Thursday.

According to a report by Chainalysis, YoMix has become the preferred cryptocurrency mixer for the North Korean hacking group, Lazarus Group. The firm observed a notable shift in the movement of virtual assets, highlighting that in January, the hackers received funds from YoMix into a wallet that had previously been used to receive funds from another cryptocurrency mixer, Sinbad, in October of the previous year.

The researchers refrained from disclosing the specific amount of digital assets processed by the Lazarus Group through YoMix. However, the report revealed that last year, YoMix experienced a significant surge in its monetary transactions, witnessing an increase of more than fivefold over the course of the year. Notably, around one-third of these funds originated from wallets associated with cryptocurrency thefts.

The firm highlighted the U.S. government’s decision to blacklist Sinbad as the key factor prompting the state-sponsored hacking group's shift. In November of the previous year, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the cryptocurrency mixer for facilitating the North Korean hacking group in laundering millions of dollars in digital assets acquired from cryptocurrency heists.

While mixing services offer legitimate users increased privacy by concealing the origins and destinations of financial transactions, they also benefit cybercriminals looking to disguise their illicit activities. According to findings from Chainalysis, cybercriminals funneled over $500 million into cryptocurrency mixers. This figure surged to more than $1 billion in total in 2022. The researchers attribute the subsequent significant decline to government actions aimed at curbing malicious activities, including the shutdown of cryptocurrency mixers.

The report observed that sophisticated hacking groups are likely to continue adapting and seek alternative methods to discreetly launder their illicit funds. The firm explained that Sinbad became a mixer of choice after the OFAC added Tornado Cash to the sanctions list in November 2022, citing its involvement in laundering money for the Lazarus Group. In a report published early last year, Chainalysis highlighted that North Korean-affiliated hacking groups had “almost exclusively” used Tornado Cash to launder stolen digital assets from late 2021 through 2022.

The cover image of this article was designed by Sangseon Kim. This article was copyedited by Arthur Gregory Willers.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.