Kenne Michael 
Investigators utilizing blockchain analytics have uncovered a person connected to a cryptocurrency laundering operation offering stolen tokens from recent high-profile exchange breaches at discounted prices.
A blockchain security company Match Systems representative described how investigations into multiple significant breaches involving similar methods during the summer of 2023 have pointed to an individual allegedly selling stolen cryptocurrency tokens via peer-to-peer transfers.
The investigators identified and established contact with a Telegram user offering stolen property.
After receiving a minor transaction from the corresponding address, the team confirmed that the user controlled an address containing over $6 million worth of cryptocurrencies.
The exchange of misappropriated assets was then conducted via a Telegram bot that offered a 3% discount on the token’s market price.
Following initial discussions, the owner of the address reported that the initial assets for sale had been purchased and that new tokens would be available approximately three weeks later:
“Maintaining our contact, this individual notified us about the commencement of new asset sales. Based on the available information, it is logical to assume that these are funds from CoinEx or Stake companies.”
The Match Systems team has been unable to identify the individual completely but has narrowed down their location to a European time zone based on several screenshots and conversational timings:
“We believe he is not part of the core team but is associated with them, possibly having been de-anonymized as a guarantee that he will not misuse the delegated assets.”
During various interactions, the individual exhibited unstable and erratic behavior, abruptly departing conversations with excuses such as “Sorry, I must go; my mom is calling me to dinner.”
“Typically, he offers a 3% discount. Previously, when we first identified him, he would send 3.14 TRX as a form of proof to potential clients.”
Match Systems reported that the individual accepted Bitcoin as payment for the discounted stolen tokens and had previously sold Tron tokens valued at $6 million.
The Telegram user’s most recent offering included tokens worth $50 million worth of TRX, Ether, and BNB.
Before this, blockchain security company CertiK outlined the movement of stolen funds from the Stake heist, with approximately $4.8 million of the total $41 million being laundered through various token transfers and cross-chain exchanges.
The Federal Bureau of Investigation of the United States later identified North Korean Lazarus Group hackers as the perpetrators of the Stake attack. At the same time, cyber security firm SlowMist also attributed the $55 million CoinEx hack to the same group.
This contradicts data from Match Systems, which suggests that the hackers behind the CoinEx and Stake breaches employed slightly different identifiers and methods.
Their analysis emphasizes that previous Lazarus Group laundering efforts did not involve Commonwealth of Independent States nations like Russia and Ukraine, while the 2023 summer hacks saw stolen funds being actively laundered in these jurisdictions.
Lazarus hackers left investigators with few digital traces, whereas recent incidents have left copious breadcrumbs. Social engineering was also identified as a significant attack vector in the summer breaches, while the Lazarus Group targeted “mathematical vulnerabilities.”
Lastly, the company notes that Lazarus hackers typically used Tornado Cash to launder stolen cryptocurrency, whereas in recent incidents, funds have been combined using Sinbad and Wasabi.
These breaches have utilized BTC wallets as the primary repository for stolen assets and the Avalanche Bridge and token mixers for token laundering.
According to Chainalysis, as of mid-September, North Korea-affiliated organizations had stolen a total of $ 340.4 million in cryptocurrency in 2023.