Renowned crypto investigator, ZachXBT, recently disclosed a significant hack on the Tron network, with an anonymous victim losing $3.19 million in USDT. In a swift series of transactions, the stolen USDT was moved to Ethereum, where it was exchanged for ETH. The digital loot was then spread across ten addresses and deposited into Tornado Cash, a popular privacy tool in the crypto world.
ZachXBT’s sharp eye noticed that the hacker utilized a theft address previously associated with a heinous hack on Michael Kong, the CEO of Fantom/Sonic, in October 2023. This hack was traced back to the notorious Lazarus Group, a North Korean hacking collective with suspected ties to the state, in a report published by the United Nations in March 2024.
The Lazarus Group’s modus operandi includes spearphishing campaigns and on-chain ‘commingling’ of funds. In fact, ZachXBT highlighted how the group linked the Bybit hack to the Phemex hack directly on-chain by ‘commingling’ funds from the initial theft addresses for both incidents.
The Lazarus Group is no newcomer to the world of crypto theft. Over the years, their hacks have reportedly resulted in losses upwards of $6 billion, with the proceeds allegedly funding North Korea’s ballistic missile program. The Bybit heist alone saw the theft of over 400K ETH, by infiltrating Bybit’s cold wallet, marking it as one of the largest crypto thefts in history.
Elliptic, a leading blockchain analysis company, has been closely monitoring the Lazarus Group’s actions. According to their research, the hackers follow a distinctive pattern to launder stolen crypto assets. The first step involves exchanging the stolen tokens for a “native” blockchain asset like Ether, which unlike tokens, cannot be ‘frozen’ by issuers.
This was the exact route taken by the hackers in the recent Tron hack and the Bybit theft, where hundreds of millions of dollars in stolen tokens were swiftly exchanged for ETH via decentralized exchanges (DEXs). This method circumvents any potential asset freezes that might occur if centralized exchanges (CEXs) were used.
The second step in the laundering process involves ‘layering’ the stolen funds to obscure the transaction trail. This involves funneling funds through a high number of cryptocurrency wallets, moving funds to other blockchains using cross-chain bridges or exchanges, and employing ‘mixers’ such as Tornado Cash or Cryptomixer.
The recent hack on Tron and the subsequent laundering of the stolen funds underscore the need for robust security measures and vigilant monitoring within the crypto ecosystem. As the technology evolves, so, it seems, do the tactics of those who seek to exploit it. As the investigation into this hack continues, one hopes that the lessons learned will lead to stronger defenses against such criminal activities in the future.
