Bitcoin Mixer YoMix Gains Popularity Among North Korea-Linked Hackers

According to CryptoPotato, YoMix, a Bitcoin mixer, has gained popularity among North Korea-linked hackers as an alternative to Tornado Cash and Sinbad. Blockchain analysis firm Chainalysis discovered that a wallet connected to North Korean hacking operations received funds from YoMix, whereas it previously received funds from Sinbad. Sophisticated cybercriminal groups like Lazarus Group have adapted their mixer usage, with YoMix stepping in as a substitute after Sinbad became inaccessible. YoMix experienced significant growth in 2023, with inflows increasing by more than five times throughout the year. Chainalysis data revealed that approximately one-third of all YoMix inflows originate from wallets associated with crypto hacks. The surge in YoMix usage, coupled with its adoption by the Lazarus Group, demonstrated how sophisticated actors can adapt and find alternative obfuscation services when previously popular options are shut down. In 2023, money laundering became less centralized at the deposit address level, even as it became slightly more concentrated at the service level. Chainalysis speculated that crypto criminals might have been diversifying their money laundering across multiple nested services or deposit addresses to evade detection by law enforcement and exchange compliance teams. Diversifying the activity across more addresses could also serve as a tactic to mitigate the consequences if any single deposit address is frozen due to suspicious activity. A significant share of crypto money laundering activity involves relatively unsophisticated methods, with perpetrators often sending funds directly to exchanges. However, cybercriminals with more advanced on-chain laundering skills, such as the Lazarus Group, typically employ a wider range of crypto services and protocols. Besides YoMix, these illicit actors are increasingly utilizing cross-chain bridges. In 2023, bridge protocols received a total of $743.8 million in crypto from illicit addresses, a significant increase from the $312.2 million recorded in 2022. Notably, North Korea-linked hackers have been prominent users of bridges for money laundering purposes.