Norwegian police agency Økokrim has announced that it has seized cryptocurrency worth NOK 60 million (approximately $5.84 million) stolen by the Lazarus Group in March 2022 following the hacking of the Axie Infinity Ronin Bridge.
“This incident demonstrates the great ability of criminals to track money on the blockchain, even using sophisticated methods,” the agency said in a statement.
The development comes more than a decade after the U.S. Treasury Department blamed a North Korean-backed hacking group for stealing $620 million from the Ronin cross-chain bridge. I was.
Then, in September 2022, the U.S. government announced recovery of over $30 million in cryptocurrency, representing 10% of the stolen funds.
Økokrim said it is working with international law enforcement partners to track and piece together money trails, making it more difficult for criminals to carry out money laundering operations.
“This is money that can support North Korea and its nuclear weapons program,” he added. “That’s why it’s important to track cryptocurrencies and try to stop them when they try to withdraw money on physical assets.”
The development comes as cryptocurrency exchanges Binance and Huobi have frozen accounts containing around $1.4 million in digital currency stemming from the June 2022 hack of Harmony’s Horizon Bridge. .
This attack, also attributed to the Lazarus Group, allowed the attackers to launder some of the proceeds through Tornado Cash, which was sanctioned by the US government in August 2022.
Blockchain analytics firm Elliptic said last week that “Investigators have begun to see stolen funds lying dormant until recently, being sent to exchanges through complex transaction chains.”
Additionally, Blender, another cryptocurrency mixer licensed in May 2022, is back as Sinbad and may have laundered about $100 million in bitcoin in a hack by Lazarus Group, according to Elliptic’s Tom. Robinson told The Hacker News.
According to the company, funds siphoned off after the Horizon Bridge robbery were “laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers.”
“Tornado Cash was used again, but instead of Blender another Bitcoin mixer was used: Sinbad.”
The service, which only launched in early October 2022, is estimated to have facilitated tens of millions of dollars from Horizon and other North Korea-related hacks.
Over the two-month period from December 2022 to January 2023, the group of nations sent a total of 1,429.6 bitcoins (worth approximately $24.2 million) to mixers, Chainalysis revealed earlier this month.
Evidence that Sinbad is “very likely” to be a Blender rebrand comes from the duplication of wallet addresses used, ties to Russia, and similarities in how both mixers operate.
“Analysis of blockchain transactions indicates that the bitcoin wallets used to make payments to individuals who promoted Sinbad themselves received bitcoin from wallets of suspected blender operators,” Elliptic said.
“Analysis of blockchain transactions indicates that almost all of the early incoming transactions to Sinbad (approximately $22 million) originated from wallets of suspected Blender operators.”
The creator of Sinbad, who goes by the alias “Mehdi,” told WIRED that the service was launched in response to “the increasing centralization of cryptocurrencies,” and that the policies of Monero, Zcash, Wasabi, and Tor said that it is a legal and legitimate privacy protection project in line with. .
The findings also arrive as healthcare organizations find themselves in the crosshairs of a new wave of ransomware attacks orchestrated by Lazarus actors.
According to a joint advisory issued by the two countries, the profits from these financially motivated attacks could be used to fund other cyber activities, such as espionage against defense sectors and defense industrial base organizations in South Korea and the United States. will be
However, law enforcement actions have not yet deterred the mass attacks of threat actors that continue to evolve with new behaviors.
It consists of a wide range of anti-forensic techniques designed to erase traces of compromise and thwart analysis, according to a recent report by the AhnLab Security Emergency Response Center (ASEC).
ASEC researchers said, “The Lazarus group performed a total of three techniques: data hiding, artifact wiping, and trail obfuscation.
