Yicong Wang, a Chinese OTC trader, has been laundering stolen crypto for the notorious North Korean hacking group known as Lazarus Group since 2022.
Known for using pseudonyms like Seawang, Greatdtrader, and BestRhea977, Wang has helped convert tens of millions of dollars in stolen crypto into cash through bank transfers.
On-chain investigator ZachXBT exposed Wangās involvement after a victim reached out earlier in the year to report that their account was frozen after completing a P2P transaction with the criminal. They also provided Zach with a TRON wallet address used by Wang, taken from a WeChat conversation.
Wangās role in laundering stolen crypto
Zachās research revealed that Yicong Wang facilitated laundering of stolen funds from Lazarus-related hacks like those on Alex Labs, EasyFi, Bondly, and the Irys co-founder.
Specifically, one address controlled by Wang consolidated $17 million from these hacks, with $374K USDT blacklisted by Tether in November 2023. After this blacklist, the remaining funds were quickly moved to Tornado Cash, the infamous crypto mixer.
Between November and December 2023, 13 transactions of 100 ETH each were withdrawn and moved to a different Ethereum address. Later in December, $45K was bridged to TRON, eventually landing in wallets tied to Wang.
Despite Tetherās attempts to blacklist these funds, he moved the money efficiently through crypto mixing services.
Lazarusā attack on Alex Labs in May 2024 resulted in a $4.5 million loss. Shortly after, one of the hacked addresses deposited 470 ETH into a privacy protocol.
The same amount was withdrawn and transferred to two new addresses within hours. Another 449 ETH followed the same pattern between June 27 to 28 this year, and ended up in Wangās accounts.
More stolen crypto laundered
In July, Lazarus Group launched another attack, this time targeting the Irys co-founder. They used a spear-phishing email campaign to steal $1.3 million in crypto. The stolen ETH followed the same route as before, with Wang facilitating the laundering process.
On July 31, the stolen 70.8 ETH was deposited into a privacy protocol, followed by another 338 ETH. Again, these funds were sent to multiple addresses before ending up in Wangās TRON wallets.
By August 13, Wang had laundered another $1.5 million USDT from Lazarus Groupās hacks. During this period, funds were bridged from Ethereum to TRON, linking directly to his accounts.
Investigations into these transactions showed that an Ethereum address blacklisted by Tether in August, containing 948K USDT, was also connected to Wang.
Before being blacklisted, 746K USDT was transferred to one of his addresses. Wang didnāt stop even after being banned from major platforms like Paxful and Noones for laundering funds.
Though his accounts under the aliases were shut down, Wang continued making offsite transactions, assisting Lazarus Group with laundering funds.
Lazarusā continuous Threat to the crypto industry
As of October 23, 2024, Lazarus Group remains one of the most dangerous threats to the crypto industry. They continue to execute high-profile hacks, targeting centralized and decentralized platforms.Ā
Their methods have become increasingly sophisticated, using social engineering campaigns like the āEager Crypto Beaversā to trick blockchain professionals into downloading malware. This malware steals credentials and access to crypto wallets, making it easier for Lazarus to drain funds.
In 2024 alone, the hacking group has been responsible for many major hacks. In July, they breached the Indian crypto exchange WazirX, resulting in over $235 million in losses.
They also targeted centralized platforms like Stake.com, which lost $41 million in September 2023, and Deribit, which suffered a $28 million loss in November 2022.
While law enforcement has made some progress, recovering stolen funds has been challenging. The U.S. Department of Justice (DOJ) is actively working to track and recover crypto stolen by Lazarus, but the groupās laundering methods make this difficult.
Earlier this month, the DOJ filed lawsuits to recover over $2.67 million in stolen digital assets tied to the Deribit and Stake.com hacks. But these efforts represent only a fraction of the total amount stolen by Lazarus.
