Blockchain analytics investigators have made a startling discovery. They have uncovered an individual who is allegedly involved in a cryptocurrency laundering operation. This operation is specifically targeting stolen tokens from recent high-profile exchange hacks. The investigations, spanning the summer months of 2023, have shed light on the methods employed by these hackers and their connection to this individual. And it appears that this individual is offering the stolen tokens at discounted prices to unsuspecting buyers.
Blockchain security firm Match Systems has been at the forefront of these investigations. Working tirelessly, they have managed to identify and establish contact with the individual responsible for selling stolen cryptocurrency tokens. The communication took place on the popular messaging platform Telegram. The investigators were able to ascertain that this individual was in control of an address containing over $6 million worth of cryptocurrencies. This confirmation came after receiving a small transaction from the corresponding address.
To facilitate the exchange of stolen assets, the individual devised a clever scheme using a Telegram bot. This bot, created specifically for this operation, offered a 3% discount off the market price of the stolen tokens. As conversations progressed, the individual indicated that the initial assets on offer had been sold. However, new tokens would be made available approximately three weeks later. According to the investigators, the indications point towards these being funds from CoinEx or Stake companies.
Though efforts have been made to fully identify the individual responsible for this operation, Match Systems has only been able to narrow down their location to the European time zone. This conclusion was drawn from several screenshots and the timings of their conversations. It is believed that this individual is not part of the core team behind the hacks but has some association with them. The investigators suggest that the individual may have been de-anonymized as a guarantee that they will not misuse the stolen assets.
Throughout their interactions, the individual exhibited unstable and erratic behavior. Abruptly leaving conversations with excuses, such as being called to dinner by their mother, raised suspicions. Additionally, the individual offered a 3% discount on the stolen tokens. In the initial stages of identification, they would send 3.14 TRON (TRX) as a form of proof to potential clients.
For the discounted stolen tokens, the individual accepted Bitcoin (BTC) as a means of payment. Prior to this, they had successfully sold $6 million worth of TRON (TRX) tokens. The latest offering from this Telegram user includes $50 million worth of TRON (TRX), Ether (ETH), and Binance Smart Chain (BSC) tokens.
In correspondence with Cointelegraph, blockchain security firm CertiK previously outlined the movement of stolen funds from the Stake heist. They revealed that approximately $4.8 million of the total $41 million had been laundered through various token movements and cross-chain swaps. The FBI identified the North Korean Lazarus Group hackers as the culprits of the Stake attack. Cybersecurity firm SlowMist also linked the CoinEx hack, which involved $55 million, to the North Korean group.
Interestingly, Match Systems’ analysis suggests that the CoinEx and Stake hacks had slightly different identifiers in their methodology. Previous Lazarus Group laundering efforts did not involve Commonwealth of Independent States (CIS) nations like Russia and Ukraine. However, the 2023 summer hacks witnessed stolen funds being actively laundered in these jurisdictions. Unlike the minimal digital footprints left by Lazarus hackers in the past, recent incidents have left plenty of breadcrumbs for investigators to follow. Social engineering has emerged as a prominent attack vector in these summer hacks, whereas the Lazarus Group targeted “mathematical vulnerabilities”. Furthermore, recent incidents have seen stolen funds being mixed through protocols like Sinbad and Wasabi, as opposed to Tornado Cash previously used by Lazarus hackers.
Despite these differences, there are still significant similarities among these hacks. BTC wallets have consistently served as the primary repository for the stolen assets, while the Avalanche Bridge and mixers have been employed for token laundering. Blockchain data from September 2023 suggests that North Korean hackers have stolen an estimated $47 million worth of cryptocurrency this year. The majority of these funds, approximately $42.5 million, consist of BTC, with $1.9 million in ETH.
The unraveling of this cryptocurrency laundering operation sheds light on the intricate web of stolen tokens and underground marketplaces. The work of blockchain analytics investigators, though challenging, provides valuable insights into the methods employed by hackers and the individuals behind these illegal operations. It is essential for the cryptocurrency community to remain vigilant and take proactive measures to safeguard their assets in an increasingly complex and evolving landscape.