Norwegian police agency Økokrim announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency from the Lazarus Group following the Axie Infinity Ronin Bridge hack. “This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods,” stated the agency. The news comes more than ten months after the U.S. Treasury Department implicated the North Korea-backed hacking group for stealing $620 million from the Ronin cross-chain bridge. In September 2022, the U.S. government declared that it had recovered over $30 million in cryptocurrencies, or 10% of the stolen money. The development comes after cryptocurrency exchanges Binance and Huobi froze accounts containing about $1.4 million in digital currencies from the Horizon Bridge attack by Harmony in June 2022. The attack, also attributed to the Lazarus Group, enabled the threat actors to use Tornado Cash to launder some funds. “The stolen funds remained dormant until recently, when our investigators began to see them funneled through complex chains of transactions, to exchanges,” stated the blockchain analytics company Elliptic. According to Tom Robinson, a cryptocurrency expert, there are signs that Blender, a previously banned cryptocurrency mixer, may have returned as Sinbad and laundered about $100 million in Bitcoin from hacks linked to the Lazarus Group. The company claims that money stolen after the Horizon Bridge attack was “laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers.”
Although the service was launched in October 2022, it is believed to have facilitated the transfer of tens of millions of dollars from the Horizon and other North Korea-linked cyberattacks. According to data released by Chainalysis, the nation-state group sent 1,429.6 Bitcoin worth about $24.2 million to the mixer during the two months from December 2022 to January 2023. The overlaps in the wallet addresses utilized, their connections to Russia, and the similarities in how both mixers function suggest that Sinbad is “highly likely” a rebrand of Blender. The developer of Sinbad told WIRED that the project is a legal privacy-preserving one in the line of Monero, Zcash, Wasabi, and Tor and it was created in response to the “growing centralization of cryptocurrency.” Money earned from financially motivated attacks is used to finance additional cyber activities, such as espionage on the South Korean and U.S. defense industries. Despite the efforts of law enforcement, the threat actor’s widespread attacks continue to demonstrate new behaviors.