How Chinese OTC trader Yicong Wang helped Lazarus Group convert stolen crypto into cash

Yicong Wang, a Chinese OTC trader, has been laundering stolen crypto for the notorious North Korean hacking group known as Lazarus Group since 2022.

Known for using pseudonyms like Seawang, Greatdtrader, and BestRhea977, Wang has helped convert tens of millions of dollars in stolen crypto into cash through bank transfers.

On-chain investigator ZachXBT exposed Wang’s involvement after a victim reached out earlier in the year to report that their account was frozen after completing a P2P transaction with the criminal. They also provided Zach with a TRON wallet address used by Wang, taken from a WeChat conversation.

Wang’s role in laundering stolen crypto

Zach’s research revealed that Yicong Wang facilitated laundering of stolen funds from Lazarus-related hacks like those on Alex Labs, EasyFi, Bondly, and the Irys co-founder.

Specifically, one address controlled by Wang consolidated $17 million from these hacks, with $374K USDT blacklisted by Tether in November 2023. After this blacklist, the remaining funds were quickly moved to Tornado Cash, the infamous crypto mixer.

Between November and December 2023, 13 transactions of 100 ETH each were withdrawn and moved to a different Ethereum address. Later in December, $45K was bridged to TRON, eventually landing in wallets tied to Wang.

Despite Tether’s attempts to blacklist these funds, he moved the money efficiently through crypto mixing services.

Lazarus’ attack on Alex Labs in May 2024 resulted in a $4.5 million loss. Shortly after, one of the hacked addresses deposited 470 ETH into a privacy protocol.

The same amount was withdrawn and transferred to two new addresses within hours. Another 449 ETH followed the same pattern between June 27 to 28 this year, and ended up in Wang’s accounts.

More stolen crypto laundered

In July, Lazarus Group launched another attack, this time targeting the Irys co-founder. They used a spear-phishing email campaign to steal $1.3 million in crypto. The stolen ETH followed the same route as before, with Wang facilitating the laundering process.

On July 31, the stolen 70.8 ETH was deposited into a privacy protocol, followed by another 338 ETH. Again, these funds were sent to multiple addresses before ending up in Wang’s TRON wallets.

By August 13, Wang had laundered another $1.5 million USDT from Lazarus Group’s hacks. During this period, funds were bridged from Ethereum to TRON, linking directly to his accounts.

Investigations into these transactions showed that an Ethereum address blacklisted by Tether in August, containing 948K USDT, was also connected to Wang.

Before being blacklisted, 746K USDT was transferred to one of his addresses. Wang didn’t stop even after being banned from major platforms like Paxful and Noones for laundering funds.

Though his accounts under the aliases were shut down, Wang continued making offsite transactions, assisting Lazarus Group with laundering funds.

Lazarus’ continuous Threat to the crypto industry

As of October 23, 2024, Lazarus Group remains one of the most dangerous threats to the crypto industry. They continue to execute high-profile hacks, targeting centralized and decentralized platforms. 

Their methods have become increasingly sophisticated, using social engineering campaigns like the “Eager Crypto Beavers” to trick blockchain professionals into downloading malware. This malware steals credentials and access to crypto wallets, making it easier for Lazarus to drain funds.

In 2024 alone, the hacking group has been responsible for many major hacks. In July, they breached the Indian crypto exchange WazirX, resulting in over $235 million in losses.

They also targeted centralized platforms like Stake.com, which lost $41 million in September 2023, and Deribit, which suffered a $28 million loss in November 2022.

While law enforcement has made some progress, recovering stolen funds has been challenging. The U.S. Department of Justice (DOJ) is actively working to track and recover crypto stolen by Lazarus, but the group’s laundering methods make this difficult.

Earlier this month, the DOJ filed lawsuits to recover over $2.67 million in stolen digital assets tied to the Deribit and Stake.com hacks. But these efforts represent only a fraction of the total amount stolen by Lazarus.