Hackers Laundering Cryptocurrency by Posing as Novice Traders

Criminals are employing a novel approach to launder cryptocurrency by disguising their actions as mistakes made by inexperienced traders, according to experts cited by DL News.

These hackers create swaps that are susceptible to attacks from arbitrage bots, which they also control. Such tactics are notably used by the Lazarus Group.

These transactions exhibit all characteristics typically associated with money laundering, as noted by blockchain security researcher Yegor Ruditsa from Hacken.

The expert identified numerous transactions from wallets that raised «serious suspicions» due to their use of FixedFloat and ChangeNow—two cryptocurrency mixers favored by money launderers.

The scheme utilizes stablecoins like USDC and USDT in a multi-step process.

Initially, multiple wallets deposit and withdraw funds via Aave. After withdrawing the assets from the protocol, the launderers add «stablecoins» to a trading pool on the decentralized exchange Uniswap.

Typically, stablecoins trade at nearly the same price, as they are pegged to the value of the dollar. However, launderers manipulate the trading pools on Uniswap, allowing their own bot to intervene in transactions.

In a specific example, the perpetrators traded $90,000 worth of USDC for $2,300 in USDT, incurring a loss of $87,700. The losses incurred by the wallet that initiated the transaction are offset by the profits from the arbitrage gained by the software controlled by the money launderers.

Ruditsa indicated that he identified six such transactions executed through the same trading pool in just five minutes, suggesting a coordinated effort.

The hackers also employ various other methods. For instance, they utilize sandwich attacks, where bots purchase tokens before large trades and then sell them at a markup.

Another scheme involves working with low-liquidity assets. In one recorded instance, a wallet linked to Lazarus used WAFF and USDT. Consequently, the company Tether blocked the Uniswap pool associated with this token.

As a reminder, on March 13, the Lazarus hackers transferred 400 ETH (~$752,000) to the cryptocurrency mixer Tornado Cash. The original address received funds through the THORChain protocol, which the group had actively exploited in their money laundering schemes involving stolen funds from Bybit.