YicongWang,aChineseOTCtrader,hasbeenlaunderingstolencryptoforthenotoriousNorthKoreanhackinggroupknownasLazarusGroupsince2022.
KnownforusingpseudonymslikeSeawang,Greatdtrader,andBestRhea977,Wanghashelpedconverttensofmillionsofdollarsinstolencryptointocashthroughbanktransfers.
On-chaininvestigatorZachXBTexposedWang’sinvolvementafteravictimreachedoutearlierintheyeartoreportthattheiraccountwasfrozenaftercompletingaP2Ptransactionwiththecriminal.TheyalsoprovidedZachwithaTRONwalletaddressusedbyWang,takenfromaWeChatconversation.
Wang’sroleinlaunderingstolencrypto
Zach’sresearchrevealedthatYicongWangfacilitatedlaunderingofstolenfundsfromLazarus-relatedhackslikethoseonAlexLabs,EasyFi,Bondly,andtheIrysco-founder.
Specifically,oneaddresscontrolledbyWangconsolidated$17millionfromthesehacks,with$374KUSDTblacklistedbyTetherinNovember2023.Afterthisblacklist,theremainingfundswerequicklymovedtoTornadoCash,theinfamouscryptomixer.
BetweenNovemberandDecember2023,13transactionsof100ETHeachwerewithdrawnandmovedtoadifferentEthereumaddress.LaterinDecember,$45KwasbridgedtoTRON,eventuallylandinginwalletstiedtoWang.
DespiteTether’sattemptstoblacklistthesefunds,hemovedthemoneyefficientlythroughcryptomixingservices.
Lazarus’attackonAlexLabsinMay2024resultedina$4.5millionloss.Shortlyafter,oneofthehackedaddressesdeposited470ETHintoaprivacyprotocol.
Thesameamountwaswithdrawnandtransferredtotwonewaddresseswithinhours.Another449ETHfollowedthesamepatternbetweenJune27to28thisyear,andendedupinWang’saccounts.
Morestolencryptolaundered
InJuly,LazarusGrouplaunchedanotherattack,thistimetargetingtheIrysco-founder.Theyusedaspear-phishingemailcampaigntosteal$1.3millionincrypto.ThestolenETHfollowedthesamerouteasbefore,withWangfacilitatingthelaunderingprocess.
OnJuly31,thestolen70.8ETHwasdepositedintoaprivacyprotocol,followedbyanother338ETH.Again,thesefundsweresenttomultipleaddressesbeforeendingupinWang’sTRONwallets.
ByAugust13,Wanghadlaunderedanother$1.5millionUSDTfromLazarusGroup’shacks.Duringthisperiod,fundswerebridgedfromEthereumtoTRON,linkingdirectlytohisaccounts.
InvestigationsintothesetransactionsshowedthatanEthereumaddressblacklistedbyTetherinAugust,containing948KUSDT,wasalsoconnectedtoWang.
Beforebeingblacklisted,746KUSDTwastransferredtooneofhisaddresses.Wangdidn’tstopevenafterbeingbannedfrommajorplatformslikePaxfulandNoonesforlaunderingfunds.
Thoughhisaccountsunderthealiaseswereshutdown,Wangcontinuedmakingoffsitetransactions,assistingLazarusGroupwithlaunderingfunds.
Lazarus’continuousThreattothecryptoindustry
AsofOctober23,2024,LazarusGroupremainsoneofthemostdangerousthreatstothecryptoindustry.Theycontinuetoexecutehigh-profilehacks,targetingcentralizedanddecentralizedplatforms.
Theirmethodshavebecomeincreasinglysophisticated,usingsocialengineeringcampaignslikethe“EagerCryptoBeavers”totrickblockchainprofessionalsintodownloadingmalware.Thismalwarestealscredentialsandaccesstocryptowallets,makingiteasierforLazarustodrainfunds.
In2024alone,thehackinggrouphasbeenresponsibleformanymajorhacks.InJuly,theybreachedtheIndiancryptoexchangeWazirX,resultinginover$235millioninlosses.
TheyalsotargetedcentralizedplatformslikeStake.com,whichlost$41millioninSeptember2023,andDeribit,whichsuffereda$28millionlossinNovember2022.
Whilelawenforcementhasmadesomeprogress,recoveringstolenfundshasbeenchallenging.TheU.S.DepartmentofJustice(DOJ)isactivelyworkingtotrackandrecovercryptostolenbyLazarus,butthegroup’slaunderingmethodsmakethisdifficult.
Earlierthismonth,theDOJfiledlawsuitstorecoverover$2.67millioninstolendigitalassetstiedtotheDeribitandStake.comhacks.ButtheseeffortsrepresentonlyafractionofthetotalamountstolenbyLazarus.
cryptopolitan.com