Criminal Hackers Disguise Themselves as Naive Digital Currency Traders to Clean Dirty Money
Cybercriminals Launder Cryptocurrency by Disguising Actions as Novice Trader Errors
A new method of laundering cryptocurrency has emerged, with cybercriminals posing as inexperienced traders to evade detection, according to reports by DL News. Experts claim that this strategy is utilized by groups such as the Lazarus Group.
The criminals create swap transactions vulnerable to arbitrage bots, which they themselves control. These transactions exhibit characteristics common in money laundering, explained Yegor Ruditza, a security researcher at blockchain company Hacken. He identified multiple suspicious transactions originating from wallets that channeled funds through FixedFloat and ChangeNow—two cryptocurrency mixers widely used for laundering.
The scheme primarily involves USDC and USDT stablecoins and follows a multi-step process. Several wallets deposit and withdraw funds via Aave. After withdrawing assets, the launderers add stablecoins to a liquidity pool on Uniswap. Normally, stablecoins trade at roughly the same price due to their pegging to the U.S. dollar. However, the hackers manipulate Uniswap pools to allow their bots to interfere in trades.
In one instance, attackers swapped $90,000 in USDC for just $2,300 in USDT, losing $87,700. Although the initiating wallet appears to suffer a loss, the missing funds are recuperated through profits collected by the hackers' controlled software via arbitrage. Ruditza reported six such transactions executed within the same liquidity pool over just five minutes, suggesting an organized operation.
Hackers employ other tactics like sandwich attacks and transactions involving low-liquidity assets to further obfuscate their activities. For instance, a Lazarus-linked address used WAFF and USDT, leading to Tether freezing the associated Uniswap pool.
Interestingly, on March 13, Lazarus hackers transferred 400 ETH (~$752,000) to the Tornado Cash crypto mixer. The funds originated from THORChain, a service the group has actively used to launder stolen Bybit assets. While the evidence is not explicit, this pattern suggests a potential seasoning of Lazarus Group tactics with the use of arbitrage bots and stablecoins in laundering efforts.
Financial operations obscured by cybercriminals, utilizing arbitrage bots and disguising themselves as novice traders, have been found to manipulate Uniswap pools to launder cryptocurrency, as noted by security researcher Yegor Ruditza. In this practice, cybersecurity measures are bypassed as these groups take advantage of technology to exploit stablecoin trading, a procedure that could potentially influence future laundering methods.
