What are coin mixers, and how are they used in high-profile hacks? Crypto mixers, or tumblers, are
What are coin mixers, and how are they used in high-profile hacks?
Crypto mixers, or tumblers, are basically smart contracts used to hide the origin of crypto transactions. Hackers send their cryptocurrency to a mixer’s address. The mixer blends the crypto with coins sent by other users, thereby concealing the identity of each contributor. Subsequently, the mixer redistributes the coins, effectively obscuring their original source.
For example, if 10 users each mix 1 Ether (ETH), they each contribute and receive different ETH. The mixers’ ability to conceal funds has a dual nature: Hackers use them to hide stolen funds, while others enhance financial privacy, protecting against surveillance. Despite their controversial use, mixers remain a tool for those seeking greater crypto anonymity
Hackers frequently combine crypto mixing with other laundering techniques such as decentralized exchange (DEX) trading, peel chains and crypto bridging. DEX trading involves directly exchanging cryptocurrencies between users on a DEX, eliminating the need for a central authority. A peel chain is a type of multi-wallet transfer where the hackers send increasingly smaller amounts across each hop instead of large amounts.
In a brazen display of their sophisticated laundering capabilities, North Korea’s Lazarus Group executed a complex operation involving the theft and subsequent obfuscation of $1.46 billion in cryptocurrency mere days following the high-profile Bybit hack.
Using coin mixers and the decentralized crosschain protocol THORChain, North Korea’s Lazarus Group laundered the stolen funds just days after the hack.
This incident is not an isolated case. In 2024 alone, Pyongyang-based hackers have reportedly stolen $800 million in crypto. The stolen funds were rapidly funneled through crypto mixers, intermediary wallets, DEXs and crosschain bridges using advanced laundering tactics.
North Korean hackers have been responsible for over $5 billion in stolen crypto since 2017, utilizing platforms like Ren Bridge and Avalanche Bridge, often converting funds into Bitcoin (BTC) before employing mixers such as Tornado Cash, Sinbad, YoMix, Wasabi Wallet and CryptoMixer.
Notable crypto hacks by Lazarus Group include WazirX (July 2024), State.com (September 2023), CoinsPaid and Alphapo (July 2023), Harmony Horizon Bridge (June 2022) and Ronin Bridge (March 2022), among others.
Did you know? Fraudulent organizations like the Lazarus Group are suspected of running private mixers. Attributing wallets to these mixers requires careful consideration, as it carries a significant risk of wrongly identifying individuals who use them for legitimate privacy or are otherwise uninvolved.
What are crosschain bridges, and why do hackers use them to launder stolen funds?
Hackers leverage crosschain bridges to facilitate verifiable data transfers across networks, thereby enabling interoperability, often without reliance on a centralized intermediary. Through the lock-mint methodology, these crypto bridges secure the original token in a smart contract and subsequently mint a corresponding wrapped version on the target blockchain.
For instance, when transferring an asset from Ethereum to Solana, the asset is first sent to a bridge contract on Ethereum, where it is “locked.” The bridge then notifies Solana, which creates a “wrapped” version of the asset, allowing it to function on the Solana network as a native coin.
To reverse the process, the wrapped asset is “burned” on Solana. The bridge then notifies the Ethereum blockchain to unlock the original asset, maintaining supply balance across both chains.
Hackers exploit vulnerabilities within these bridge transactions. They identify weaknesses that allow the creation of wrapped assets on the target chain without the corresponding locking of original assets on the source chain.
They can also manipulate the system to unlock original assets without the required burning of wrapped versions. This allows for the theft of funds without a legitimate deposit. Here’s how it works:
- False deposit events: A common tactic hackers use is triggering false deposit events. Crypto bridges typically monitor blockchains for deposit confirmations before issuing corresponding tokens on another chain. Hackers trick the system by creating fake deposit events or using worthless tokens. An example of such an attack is the Qubit hack, where the hackers created false deposit events using a legacy function in the code.
- Validator takeover: Another method is validator takeover, which targets bridges relying on validator consensus for transaction approval. If hackers gain control of most validators, they can authorize malicious transfers. In the Ronin Network hack, attackers seized five out of nine validators, enabling them to move funds undetected.
- Fake deposits: Hackers…
cointelegraph.com