Resources
  • Research
  • Threat Intelligence Reports
Analysis of DPRK-Linked Money Laundering Infrastructure
2026.07.01

✅ Report Title: Analysis of DPRK-Linked Money Laundering Infrastructure



✅ Executive Summary:


- North Korea continuously conducts virtual asset compromise and money laundering activities to circumvent restrictions on securing foreign currency due to international financial sanctions.


- Representative cases include Ronin Bridge (2022), Horizon Bridge (2022), Atomic Wallet (2023), DMM Bitcoin (2024), and Bybit (2025), and the United States government and major blockchain analysis firms assess these as activities of North Korean-backed threat groups such as Lazarus and TraderTraitor.



📌 North Korea's Virtual Asset Compromise and Money Laundering Activities


- North Korean-backed threat groups tend to structure laundering flows in multiple stages rather than immediately cashing out compromised assets. However, the same service is not used in all cases. Based on the disclosed cases, the threat actor disperses the compromised assets into multiple wallets, then selectively uses mixers, bridges, cross-chain swaps, exchange services, and OTC networks, and finally converts them into stablecoins such as USDT and USDC before cashing out through the OTC network.



📌 Money Laundering Procedure


- The characteristics of each stage are as follows.


1) Initial Distribution Phase


- The compromised assets are distributed into hundreds to thousands of wallets, making tracking and asset freezing difficult.


2) Mixer Stage


- In some cases, a mixer is used. A mixer refers to a service that weakens the connection between sender and receiver by mixing the virtual assets of multiple users and redistributing them to new addresses.


3) Bridge / Cross-Chain Swap Stage


- In some cases, bridge or cross-chain swaps are utilized. A bridge is a service that supports asset transfers between different blockchains, and a cross-chain swap refers to the method of directly exchanging assets from different blockchains without going through a centralized exchange.


- In multiple incidents recently analyzed to involve North Korean-backed organizations, cases of ETH-BTC conversion using THORChain have been repeatedly confirmed. THORChain itself is a legitimate cross-chain liquidity protocol, but if a threat actor exploits it to transfer assets to another chain, the complexity of single-chain-based tracking may increase.


4) Cash Conversion (OTC) Stage


- In the final stage, the OTC (Over-The-Counter) network is utilized. OTC refers to a method of conducting direct transactions between parties without going through the exchange order book, and it is known that Chinese-speaking brokers and currency exchange networks play a major role.


- Recently, the Southeast Asia-based OTC ecosystem, which includes Huione-affiliated services such as Huione Pay, Huione Crypto, and Haowang Guarantee, has been continuously mentioned as a major concern for money laundering.



📌 Main Laundering Infrastructure


Blender.io


- Blender.io is a Bitcoin-based virtual asset mixer service. United States Department of the Treasury explained that when it sanctioned Blender.io in May 2022, it was the first OFAC sanction case against a virtual asset mixer. The Treasury also announced that Blender.io processed more than 20.5 million USD of the funds compromised in the Ronin Bridge hacking.


- Blender.io is analyzed to use a structure that mixes deposited bitcoins into an internal liquidity pool and then distributes them to multiple new addresses. This structure made it difficult to analyze transaction flows by delaying the withdrawal timing or providing the function of routing through multiple addresses.


- Blender.io is significant as it is the first mixer to be subjected to OFAC sanctions in a virtual asset money laundering case attributed to North Korea.


Tornado Cash


- Tornado Cash is an Ethereum-based decentralized smart contract mixer. A smart contract is a program that automatically executes when predetermined conditions are met on the blockchain, and Tornado Cash utilized these smart contracts along with Zero-Knowledge Proof (ZKP) technology to weaken the link between deposit addresses and withdrawal addresses.


- Zero-Knowledge Proof (ZKP) is a cryptographic technique that allows one to prove the possession of certain information without revealing the information itself. In Tornado Cash, users can withdraw funds by proving that they have previously deposited into the pool, without revealing which specific deposit is linked. As a result, it becomes difficult to analyze the direct correlation between the deposit address and the withdrawal address.


Sinbad.io


- Sinbad.io is a Bitcoin-based mixer service and is a Bitcoin mixer repeatedly identified in virtual asset money laundering cases linked to North Korea following the sanctions on Blender.io. United States Treasury explained in November 2023 that Sinbad.io was sanctioned because Sinbad was used to process funds compromised in the Ronin Bridge and Harmony Horizon Bridge hacks.


eXch


- eXch is a virtual asset exchange service focused on anonymity with minimal user identity verification (KYC). eXch supported multiple blockchains and, due to its policy of minimizing user information collection, has been used as a channel for fund transfers in various illegal money laundering cases.


- According to Elliptic, eXch was identified as one of the main money laundering routes used by North Korean-backed threat groups following the Bybit hack. eXch has been criticized for minimizing user identity verification and insufficiently applying anti-money laundering controls, and the controversy regarding anti-money laundering measures has expanded following the Bybit incident. Afterwards, eXch announced the termination of its operations.


THORChain


- THORChain is a decentralized protocol that supports cross-chain swaps. Cross-chain swap refers to the method of directly exchanging assets from different blockchains without going through a centralized exchange.


- THORChain was originally designed as a legitimate decentralized finance (DeFi) service. However, after the Bybit hack, it was confirmed that the compromised funds moved through THORChain, which is evaluated as a key service repeatedly identified in North Korea's virtual asset money laundering process.


Chinese Laundromat Network and Huione


- Chinese Laundromat refers to an informal money laundering network consisting of Chinese-speaking OTC brokers, fund intermediaries, escrow services, and the like, rather than a specific service. TRM Labs explains that the final liquidation stage of funds compromised by North Korean-backed organizations tends to be outsourced to OTC and fund brokerage networks. This suggests that North Korea's virtual asset laundering structure is expanding from technology service-centered methods like mixers to a financial network-centered approach.



📌 Public IoC and Identification Information Analysis


- In the past, mixer services such as Blender.io, Tornado Cash, and Sinbad.io were primarily used for laundering, but recently, cross-chain swap and OTC-based infrastructures like THORChain, eXch, and Huione-related services have been repeatedly observed.


- In money laundering by North Korean-backed organizations, the services and protocols through which funds pass are considered more important tracking targets than individual wallet addresses.


- The threat actor can continuously change addresses, but the laundering infrastructure tends to be repeatedly reused or to reappear in similar forms.


- For more detailed analysis of IoC and Identification Information, please contact us via the link below.



✅ Recommended Threat Detection and Mitigation Actions:


- In the detection and response process, behavior-based analysis centered on services and protocols is required, along with detection based on public IoCs.



🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


List