The Norwegian police agency Økokrim has announced the seizure of $5.84 million worth of cryptocurrency, which was stolen by the Lazarus Group in March 2022 after the Axie Infinity Ronin Bridge hack.
The Oslo-based crime-fighting unit stated that this case highlights its capacity to trace the money trail on the blockchain, even when criminals use advanced methods. It took over 10 months after the US Treasury Department implicated the North Korea-backed hacking group for stealing $620 million from the Ronin cross-chain bridge before this development.
In September 2022, the US government also announced the recovery of over $30 million worth of cryptocurrency, representing 10% of the stolen funds. Working with international law enforcement partners, Økokrim pieced together the money trail, making it more difficult for criminals to carry out money laundering activities.
The agency added that this money can support North Korea and its nuclear weapons program; therefore, it was important to track the cryptocurrency and stop the criminals from withdrawing it in physical assets.
Crypto exchanges Binance and Huobi froze accounts containing around $1.4 million in digital currency, which originated from the June 2022 hack of Harmony’s Horizon Bridge. This attack, also blamed on the Lazarus Group, enabled the threat actors to launder some of the proceeds through Tornado Cash, sanctioned by the US government in August 2022.
Blockchain analytics firm Elliptic revealed that the stolen funds remained dormant until recently when investigators began to see them funneled through complex chains of transactions to exchanges. What’s more, there are indications that Blender, another cryptocurrency mixer that was sanctioned in May 2022, may have resurrected as Sinbad, laundering nearly $100 million in Bitcoin from hacks attributed to the Lazarus Group.
According to the company, funds siphoned after the Horizon Bridge heist were laundered through a complex series of transactions involving exchanges, cross-chain bridges, and mixers.
In the two-month period ranging from December 2022 to January 2023, the nation-state group has sent a total of 1,429.6 Bitcoin worth approximately $24.2 million to the mixer, Chainalysis revealed. The evidence that Sinbad is “highly likely” a rebrand of Blender stems from overlaps in the wallet address used, their nexus to Russia, and commonalities in the way both mixers operate.
Despite Sinbad’s creator claiming it to be a legitimate privacy-preserving project, the mixer has been used primarily to launder proceeds of hacks perpetrated by the Lazarus Group.
The findings arrive as healthcare entities are in the crosshairs of a new wave of ransomware attacks orchestrated by the Lazarus actors to generate illicit revenue for the sanctions-hit nation. Profits made from these financially motivated attacks fund other cyber activities, including spying on the defense sector and defense industrial base organizations in South Korea and the US.
The law enforcement actions have not yet put a dampener on the threat actor’s prolific attack spree, which continues to evolve with new behaviors. This includes a wide range of anti-forensic techniques designed to erase traces of intrusions and obstruct analysis, according to a recent report by AhnLab Security Emergency Response Center (ASEC).