Norwegian Police Agency Seizes $5.84 Million Worth of Cryptocurrency Stolen by North Korean-Backed Hackers
The Norwegian police agency, Økokrim, has announced the seizure of 60 million NOK (approximately $5.84 million) worth of cryptocurrency that was stolen by the Lazarus Group in March 2022 during the Axie Infinity Ronin Bridge hack. This development comes after the U.S. Treasury Department implicated the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge over 10 months ago.
The Oslo-based crime-fighting unit stated in a statement that the case demonstrates the ability to track money on the blockchain, despite the use of advanced methods by criminals. The agency worked with international law enforcement partners to trace and piece together the money trail, making it more challenging for criminal actors to carry out money laundering activities.
The recovery of this cryptocurrency is particularly significant, given that it can support North Korea's nuclear weapons program. The agency added that it was essential to track the cryptocurrency and prevent the hackers from withdrawing it in physical assets.
Furthermore, Elliptic, a blockchain analytics firm, revealed that exchanges Binance and Huobi froze accounts containing roughly $1.4 million in digital currency originating from the June 2022 hack of Harmony's Horizon Bridge, which was also attributed to the Lazarus Group. The threat actors laundered some of the proceeds through Tornado Cash, which the U.S. government sanctioned in August 2022.
Tom Robinson, Elliptic's co-founder, informed The Hacker News that there are indications that Blender, another cryptocurrency mixer that the U.S. government sanctioned in May 2022, may have resurfaced as Sinbad, laundering nearly $100 million in Bitcoin from hacks linked to the Lazarus Group. According to the company, funds from the Horizon Bridge heist were "laundered through a complex series of transactions involving exchanges, cross-chain bridges, and mixers."
In the two months between December 2022 and January 2023, the North Korean-linked group sent a total of 1,429.6 Bitcoin worth approximately $24.2 million to the mixer Sinbad, according to Chainalysis. The evidence that Sinbad is highly likely a rebrand of Blender stems from overlaps in the wallet address used, their nexus to Russia, and commonalities in the way both the mixers operate.
Also read: WIRED
Despite the law enforcement actions, the Lazarus Group's prolific attack spree continues to evolve with new behaviors, including anti-forensic techniques that erase traces of the intrusions and obstruct analysis, as disclosed in a recent report by AhnLab Security Emergency response Center (ASEC). This comprises data hiding, artifact wiping, and trail obfuscation.
In conclusion, the seizure of stolen cryptocurrency by Økokrim highlights the importance of tracing the money trail on the blockchain and making it difficult for cybercriminals to carry out money laundering activities. It also shows that North Korea-backed hackers continue to pose a significant threat to organizations worldwide and that their attacks are continuously evolving with new tactics and techniques.