Crypto coins hanging on clotheslines showing crypto laundering and Lazarus group

Cross-Chain Crypto Laundering Spikes to $7 Billion, Lazarus Group Responsible for $900 Million

A new report from Elliptic finds a major spike in cross-chain crypto laundering in the past year, with the amount shooting up from $4.1 billion a year ago to $7 billion at present.

North Korea’s state-backed Lazarus group is a major driver of this area of crime, responsible for about 13% ($900 million) alone. Scams and Ponzi schemes have also spiked by 243%, and thefts are up over 103%.

Crypto laundering outpacing growth predictions

The annual Elliptic report predicted continued growth for crypto laundering the last time out, but not at the pace seen over the prior year. Elliptic previously predicted that the market would not hit $6.5 billion until the end of this year, and would be at $10.5 billion by 2025.

What has caused the recent spike? Increased Lazarus group activity accounts for some of it, but cyber criminals are also finding success in diversifying crypto laundering operations away from defaulting to doing everything with Bitcoin. There is increased use of privacy coins such as Monero, an obvious choice for illicit online trade, but these groups are also increasingly finding ways to make use of stablecoins pegged to fiat currencies (such as Tether).

Law enforcement action against major ransomware gangs has also had an unintended ripple effect in pushing more cyber criminals into crypto laundering. As international law enforcement improves its relationships with centralized exchanges, criminals are pouring into the sorts of decentralized cross-chain exchanges that do not require identification to make transactions. Current blockchain analytics capability is also relatively poor at tracking cross-chain activity, incentivizing criminals to hop between asset types and chains to throw off pursuit.

Advanced cyber crime outfits such as the Lazarus group now heavily favor decentralized exchanges, coin swap services and cross-chain bridges for this reason. The report notes a sharp drop in the use of mixers and a corresponding spike in use of cross-chain bridges after July 2022, a “crime displacement” trend tied directly to sanctions being slapped on Tornado Cash and its contemporary RenBridge falling apart due to the collapse of backer Alameda Research just ahead of the FTX scandal.

Lazarus group responsible for huge chunk of illicit crypto movement

The largest single group moving money via crypto laundering is North Korea’s Lazarus group, which has been very busy (and successful) since 2022. The group has been highly active in this area since at least 2016, but a string of record-setting thefts over the past two years has made it the biggest single source of illicit funds being moved through cross-chain bridges.

The Lazarus group and other criminal actors have broadly diversified the asset types they make use of, over 80 in total across 26 blockchains. This includes using techniques such as limit orders and derivatives trading.

At least several hundred million dollars worth of crypto have been stolen each year by the Lazarus group, dating back to 2016. The gang pretty reliably steals about $200 to $300 million in crypto annually, but had a massive haul in 2022 with over $1.5 billion taken (largely on the backs of the massive breaches of defi platforms Harmony and Ronin Bridge).

The group is not keeping that pace in 2023 thus far, but is above its usual pre-2022 numbers already on the year. It had a sprint of thefts in the tens of millions of dollars over the summer, hitting the likes of Atomic Wallet and among others; it also almost single-handedly made shaky defi security a hot topic of discussion and prompted the ecosystem to scramble to improve its defenses so as not to lose customer confidence.

Ken Westin, Field CISO for Panther Labs, notes that this stealing spree also demonstrated that Lazarus group prefers to target software developers for access: “North Korea’s Lazarus group has been targeting cryptocurrency companies as well as financial services and cybersecurity firms to help fund their military initiatives, unlike other threat actors who often target executives, Lazarus has been targeting developers. Through social engineering attacks targeting developers their goal has been to gain access to privileged accounts and code repositories where they can steal secrets as well as compromise developers systems via malicious dependencies. Their efforts have proven to be quite lucrative so we can expect them to double down on their efforts. By targeting cryptocurrencies North Korea is able to circumvent financial sanctions and other limits imposed on the regime to fund their military efforts, taking advantage of the pseudo-anonymous nature of various cryptocurrencies.”

All told the Lazarus group is likely to at least be over half a billion in theft on the year, pending any other big scores in the next couple of months. That money is thought to go straight back to propping  up the North Korean regime after the crypto laundering takes place, particularly in funding its nuclear weapons program. Part of the Lazarus group’s perniciousness and ability to execute complex social engineering schemes is thought to be owed to its government support.

Cyber criminals were using legitimate centralized exchanges to cash out their funds just a couple of years ago, something that has changed rapidly as international law enforcement has pressured these entities to do a better job of knowing their customers and keeping tabs on funds. This has sent ransomware groups not just to defi systems (in the case of Lazarus group while also actively robbing them), but also to privacy coins like Monero and illicit exchanges in Russia that scoff at crypto laundering law with tacit approval from the national government.