After sanctions were imposed on Tornado Cash and Sinbad was shut down following similar actions against the platform, Chainalysis revealed that YoMix, a Bitcoin mixer, has stepped in as an alternative.
Recent discoveries by the blockchain analysis firm show that a wallet linked to North Korean hacking operations received funds from YoMix, whereas it used to receive funds from Sinbad.
Sophisticated cybercriminal groups like Lazarus Group have adapted their mixer usage. Following the sanctioning of Tornado Cash, Sinbad emerged as the mixer of choice for North Korea-linked hackers in 2022. However, with Sinbad no longer accessible, YoMix, a Bitcoin-based mixer, has stepped in as a substitute.
YoMix experienced significant growth in 2023, with inflows increasing by more than five times throughout the year.
According to Chainalysis data shared with CryptoPotato, approximately one-third of all YoMix inflows originate from wallets associated with crypto hacks.
The surge in YoMix usage, coupled with its adoption by the Lazarus Group, demonstrated how sophisticated actors can adapt and find alternative obfuscation services when previously popular options are shut down.
In 2023, money laundering became less centralized at the deposit address level, even as it became slightly more concentrated at the service level. Deposit addresses resemble bank accounts and are associated with individual users on centralized services.
Chainalysis speculated that crypto criminals might have been “diversifying” their money laundering across multiple nested services or deposit addresses to evade detection by law enforcement and exchange compliance teams. Diversifying the activity across more addresses could also serve as a tactic to mitigate the consequences if any single deposit address is frozen due to suspicious activity.
A big share of crypto money laundering activity involves relatively unsophisticated methods, with perpetrators often sending funds directly to exchanges.
For instance, the now-defunct iSpoof service, which facilitated over £100 million in fraudulent activity before being shut down by authorities, transferred millions in Bitcoin directly to a set of deposit addresses at a centralized exchange.
However, cybercriminals with more advanced on-chain laundering skills, such as the Lazarus Group, typically employ a wider range of crypto services and protocols, as noted by Chainalysis.
Besides YoMix, these illicit actors are increasingly utilizing cross-chain bridges.
In 2023, bridge protocols received a total of $743.8 million in crypto from illicit addresses, a significant increase from the $312.2 million recorded in 2022. Notably, North Korea-linked hackers have been prominent users of bridges for money laundering purposes.
