Hackers hide their actions by disguising themselves as inexperienced traders to launder cryptocurrency

Experts note that these operations resemble traditional money laundering schemes. In particular, a researcher from Hacken, Egor Ruditsa, discovered many suspicious transactions conducted through crypto mixers FixedFloat and ChangeNow, which are often used to launder funds.

These operations are based on the use of stablecoins such as USDC and USDT, using a multi-stage process. First, several wallets deposit and withdraw funds through the Aave platform. Then, after the assets are withdrawn, the launderers send the stablecoins to trading pools on the decentralized exchange Uniswap.

Stablecoins usually have a stable price because they are pegged to the dollar. However, the attackers set up the pools in such a way that their controlled bots can interfere with the trades. In one such example, hackers were recorded exchanging $90,000 in USDC for $2,300 in USDT, losing $87,700. Despite the losses in one transaction, the launderers compensated for them through arbitrage profits.

Rudica also found that six similar trades were executed through the same trading pool within five minutes, indicating a highly organized operation by the criminals.

In addition, hackers use other methods to cover their tracks. One such method is a sandwich attack, where bots buy tokens before large trades and then sell them at a premium. Hackers also actively work with low-liquidity assets. For example, one of the addresses associated with Lazarus used WAFF and USDT tokens, which led to the blocking of the Uniswap pool by Tether.

Recall that on March 13, hackers from Lazarus transferred 400 ETH (~$752,000) to the Tornado Cash crypto mixer. These funds were received through the THORChain protocol, which the group used to launder stolen funds from the Bybit platform.