The Lazarus Group stole cryptocurrencies worth 60 million NOK (about $5.84 million) in March 2022 as a result of the Axie Infinity Ronin Bridge hack, according to a statement from the Norwegian police agency kokrim.
The crime-fighting unit in Oslo stated in a statement that “this case illustrates that we also have a great capacity to follow the money on the blockchain, even if the offenders utilise advanced ways.”
The news comes more than ten months after the US Treasury Department accused a hacker organisation supported by North Korea of stealing $620 million from the Ronin cross-chain bridge.
Then, in September 2022, the American government declared that it had recovered more over $30 million in cryptocurrencies, or 10% of the money that had been stolen.
Kokrim asserted that it cooperated with foreign law enforcement partners to track down and put together the money trail, making it more challenging for criminal actors to engage in money laundering operations.
It went on to say, “This money can fund North Korea and their nuclear weapons programme.” Therefore, it has been crucial to keep tabs on bitcoin and try to block attempts to withdraw money in the form of actual assets.
After Harmony’s Horizon Bridge was hacked in June 2022, cryptocurrency exchanges Binance and Huobi froze accounts containing about $1.4 million in digital money. This led to the confiscation.
The attack, which is also attributed to the Lazarus Group, allowed the threat actors to use Tornado Cash, which the American government sanctioned in August 2022, to launder some of the earnings.
According to blockchain analytics company Elliptic, “The stolen monies were inert until lately, when our investigators started to observe them channelled via intricate chains of transactions, to exchanges.”
Moreover, Tom Robinson of Elliptic informed The Hacker News that there are signs that Blender, another cryptocurrency mixer that was banned in May 2022, may have returned as Sinbad and laundered about $100 million in Bitcoin from hacks linked to the Lazarus Group.
Funds were “laundered through a sophisticated sequence of transactions involving swaps, cross-chain bridges, and mixers,” the company claims, after the Horizon Bridge heist.
Tornado Cash was employed once more, however Sinbad was substituted for Blender as the Bitcoin mixer.
Despite the service’s recent October 2022 launch, it is believed to have facilitated the transfer of tens of millions of dollars from the Horizon and other North Korea-related cyberattacks.
According to data released by Chainalysis earlier this month, the nation-state entity delivered 1,429.6 Bitcoin worth a total of about $24.2 million to the mixer during the course of the two-month period between December 2022 and January 2023.
The similarities in the wallet addresses utilised, their connections to Russia, and the similarities in how both mixers function serve as proof that Sinbad is “very likely” a rebrand of Blender.
According to Elliptic, “an analysis of blockchain transactions reveals that a Bitcoin wallet used to compensate people who supported Sinbad got Bitcoin from the wallet of the alleged Blender operator.”
Blockchain analysis of transactions reveals that nearly all of Sinbad’s early incoming transactions, totalling over $22 million, came from the wallet of the alleged Blender operator.
The developer of Sinbad, who goes by the moniker “Mehdi,” told WIRED that the project is a legal privacy-preserving one in the vein of Monero, Zcash, Wasabi, and Tor and that it was created in response to “increasing centralisation of cryptocurrencies.”
But, this specific mixer has been predominantly used to launder earnings from attacks carried out by Lazarus Group, Robinson said. “Mixers can help retain your financial anonymity,” he added.
The revelations also come as a new wave of ransomware attacks targeted at healthcare organisations are being planned by the Lazarus actors to make illegal cash for the country under sanctions.
According to a joint advice released by the two countries, money earned from these financially motivated attacks is used to finance additional cyber actions, such as eavesdropping on South Korean and US defence industry and sector groups.
Nonetheless, despite the efforts of law enforcement, the threat actor’s widespread attack campaign has continued to develop with new characteristics.
According to a recent report from AhnLab Security Emergency response Center (ASEC), this includes a variety of anti-forensic tactics intended to obscure evidence of breaches and prevent analysis.
Data hiding, artefact deleting, and trail obfuscation were all methods used by the Lazarus organisation, according to ASEC researchers.