- Crypto money launderers are attacking their own trades.
- Doing so helps them make illicit funds look clean.
- North Korean hackers the Lazarus Group are among those using this new laundering method.
Crypto thieves are pretending to be inexperienced traders — losing thousands of dollars on purpose — in a new method of laundering illicit funds.
That’s according to two crypto security experts, who told DL News that the tactic is being deployed by hackers including North Korea’s Lazarus Group.
The method works like this: Launderers engineer token swaps that are designed to fall victim to trading bots. However, instead of letting other bots take advantage, the launderers run their own bots to profit from the trades.
On the surface, it looks like an inexperienced trader losing money.
But in reality, the bad trades are turning the illicit funds tied to blacklisted wallets into clean funds which, to most onlookers, appear to be trading bot profits unconnected to the illicit funds.
“We believe this is an evolving strategy to bypass detection and enforcement mechanisms,” Hakan Unal, senior security operation center lead at crypto security firm Cyvers, told DL News.
Centralised crypto exchanges like Binance and Coinbase are locked in a never-ending game of cat and mouse with some of the world’s top crypto criminals.
Money launderers like the Lazarus Group are continuously looking for ways to bypass these exchanges’ anti-money laundering detection.
Multi-step process
The trades have all the characteristics associated with money laundering, Yehor Ruditsya, a security researcher at blockchain security firm Hacken, told DL News.
Ruditsya identified multiple transactions from wallets which he said raised “significant red flags” because they sent funds through FixedFloat and ChangeNow, two crypto mixers popular with money launderers.
The scheme takes advantage of Circle’s USDC and Tether’s USDT stablecoins through a multi-step process.
First, several wallets deposit and withdraw funds to DeFi lending protocol Aave. After withdrawing funds from Aave, the launderers add the stablecoins to a trading pool on decentralised exchange Uniswap.
Usually, stablecoins like USDC and USDT trade at close to the same value. After all, they are both meant to closely track the value of the dollar.
However, launderers set up the Uniswap trading pools so that when they use them, a trading bot they control can attack the trades.
In one example, the launderers swapped $90,000 USDC for just $2,300 USDT — an $87,700 loss. While the wallet that submitted the transaction loses money, that amount lost gets picked up by the launderer’s trading bot as an arbitrage profit.
Ruditsya said he identified six of these highly uneven trades using the same trading pool within just five minutes of each other, indicating organised activity.
Sandwich attack
Trading bots take advantage of a blockchain-specific arbitrage technique called maximal extractable value, or MEV.
Bots pay to reorganise onchain trades in the most profitable way. Doing so helps keep the prices of assets on decentralised exchanges accurate. But it can also negatively affect traders.
Often, bots can orchestrate so-called sandwich attacks. Such attacks start when a bot sees a trader place a big order for a specific token.
The bot then buys up a large amount of that token ahead of the trader, pushing up its price.
After the trader has had their order filled at the higher price, the bot sells the tokens at the even higher price, profiting at the trader’s expense.
It is these sandwich attacks that crypto criminals are replicating to launder funds.
More methods
It’s not just sandwich attacks that launderers are using to obscure funds, Cyvers' Unal said.
Another common tactic, he said, involves piling money into trading pools of obscure or low-value tokens and then removing it to create the appearance of legitimate funds.
He highlighted one instance where Cyvers tracked an address linked to Lazarus Group that had been engaging in this method, using a token called WAFF and Tether’s USDT stablecoin.
As a result, Tether blocked the Uniswap pool associated with the token, Unal said.
Tether did not immediately respond to a request for comment.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.