Hackers Launder Cryptocurrency by Posing as Inexperienced Traders

hackers32121321

Cybercriminals have adopted a new method of laundering cryptocurrency by disguising their actions as mistakes made by novice traders, according to DL News, citing experts.

Hackers create swap transactions vulnerable to arbitrage bots, which they themselves control. This tactic is reportedly used by groups such as Lazarus Group.

These transactions exhibit characteristics commonly associated with money laundering, explained Yegor Ruditza, a security researcher at blockchain company Hacken.

He identified multiple suspicious transactions from wallets that funneled funds through FixedFloat and ChangeNow—two crypto mixers frequently used for laundering.

The scheme primarily involves USDC and USDT stablecoins through a multi-step process.

First, several wallets deposit and withdraw funds via Aave. After withdrawing assets, the launderers add stablecoins to a liquidity pool on Uniswap.

Normally, stablecoins trade at roughly the same price since they are pegged to the U.S. dollar. However, the hackers configure Uniswap pools in a way that allows their own bots to intervene in trades.

In one instance, the attackers swapped $90,000 in USDC for just $2,300 in USDT—losing $87,700. While the wallet initiating the transaction appears to suffer a loss, the missing funds are actually recouped through arbitrage profits collected by the hackers’ controlled software.

Ruditza said he identified six such transactions executed within the same liquidity pool over just five minutes, indicating an organized operation.

Hackers also employ other tactics, such as sandwich attacks, where bots purchase tokens ahead of large transactions and sell them at a premium.

Another scheme involves low-liquidity assets. In one observed case, a Lazarus-linked address used WAFF and USDT, leading Tether to freeze the associated Uniswap pool.

Reminder: On March 13, Lazarus hackers sent 400 ETH (~$752,000) to the Tornado Cash crypto mixer. The originating address had received funds via THORChain, which the group has actively used to launder stolen Bybit assets.