Lazarus switched to YoMix after sanctions against Sinbad mixer, Chainalysis says

North Korean hackers are switching to new money laundering techniques and increasingly using cross-chain bridges, Chainalysis said in a report published Thursday.

The Lazarus Group, notorious for its hacks of crypto companies and protocols including Harmony, Coincheck, Atomic Wallet and many others, remains one of the most prolific attackers in crypto. While the group used to be an active user of the Tornado Cash mixing protocol and the Sinbad mixer, it's now switched to a a new mixer called YoMix, Chainalysis found.

Over the course of 2023, inflows of funds to YoMix grew five times, Chainalysis said, adding that about one third came from wallets associated with crypto hacks. 

“The growth of YoMix and its embrace by Lazarus Group is a prime example of sophisticated actors’ ability to adapt and find replacement obfuscation services when previously popular ones are shut down,” the report said.

Lazarus has also been using cross-chain bridges, Chainalysis said. Bridging protocols have become significantly more popular among cybercriminals recently and received $743.8 million worth of crypto from crime-related addresses in 2023, which is twice as much as the $312.2 million in 2022.

“North Korea-affiliated hackers have been among those to utilize bridges for money laundering the most,” Chainalysis said. 

Dirty money

In 2023, blockchain wallets linked to illicit activities sent $22.2 billion worth of cryptocurrency to various platforms and services that allow to obfuscate the origins of the funds, including exchanges, mixers and DeFi platforms, Chainalysis said. The number is notably lower than the $31.5 billion in 2022. 

In general, mixers seem to be getting less popular among cybercriminals, Chainlaysis found. In 2023, they received $504.3 million worth of crypto from crime-linked addresses, compared to $1 billion in 2022.

Centralized exchanges have remained the main destination for illicit funds over the past five years, Chainalysis said. In 2023, 71.7% of all illicit services went to only five centralized platforms, the firm said. According to Chainalysis data, 109 exchange deposit addresses received over $10 million worth of illicit crypto each, and $3.4 billion altogether in 2023.

“While that still represents significant concentration, in 2022, only 40 addresses received over $10 million in illicit crypto, for a collective total of just under $2 billion,” the report reads.

This level of concentration differs for different kinds of cybercrime, Chainalysis noted. For example, vendors of ransomware and child sexual exploitation materials demonstrate a high degree of concentration, with over a half of all funds going to just seven deposit addresses. Online scammers and darknet vendors, on the other hand, use more various deposit addresses for their illicit funds. 

“Overall, it’s possible that crypto criminals are diversifying their money laundering activity across more nested services or deposit addresses in order to better conceal it from law enforcement and exchange compliance teams. Spreading the activity across more addresses may also be a strategy to lessen the impact of any one deposit address being frozen for suspicious activity,” the report noted.