Hackers Disguise as Novice Traders to Launder Cryptocurrency

Malefactors are employing a novel method to launder cryptocurrency, disguising their actions as errors made by inexperienced traders, according to DL News, citing experts.

Hackers create swaps vulnerable to arbitrage bot attacks, which they themselves control. This tactic is used by the Lazarus Group, among others.

These transactions exhibit all the characteristics typically associated with money laundering, explained Yegor Ruditsa, a security researcher at blockchain company Hacken.

The expert identified numerous transactions from wallets that, in his words, raised “serious suspicions” as they routed funds through FixedFloat and ChangeNow—two crypto mixers popular among money launderers.

The scheme employs USDC and USDT stablecoins through a multi-step process.

Initially, several wallets deposit and withdraw funds via Aave. After withdrawing assets from the protocol, the launderers add “stablecoins” to a trading pool on the decentralized exchange Uniswap.

Typically, stablecoins trade at roughly the same price, as they are pegged to the dollar’s value. However, the launderers configure trading pools on Uniswap so that their own bot can intervene in the trades.

In one example, the malefactors exchanged $90,000 in USDC for $2,300 in USDT, incurring a loss of $87,700. The losses of the wallet initiating the transaction are offset by the arbitrage profit gained by software controlled by the launderers.

Ruditsa stated that he identified six such transactions conducted through the same trading pool within just five minutes, indicating organized activity.

Hackers also employ other methods, such as sandwich attacks, where bots purchase tokens before large trades and then sell them at a premium.

Another scheme involves working with low-liquidity assets. In one case documented by experts, an address linked to Lazarus used WAFF and USDT. As a result, the company Tether blocked the Uniswap pool associated with the token.

Back in March, hackers from Lazarus sent 400 ETH (~$752,000) to the crypto mixer Tornado Cash. The initial address received funds through the THORChain protocol, which the group actively used in laundering schemes for funds stolen from Bybit.