Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack.
"This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the Oslo-based crime-fighting unit said in a statement.
The development comes more than 10 months after the U.S. Treasury Department implicated the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge.
Then in September 2022, the U.S. government announced the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds.
Økokrim said it worked with international law enforcement partners to pursue and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities.
"This is money that can support North Korea and their nuclear weapons programme," it further added. "It has therefore been important to track the cryptocurrency and try to stop the money when they try to withdraw it in physical assets."
The confiscation comes as crypto exchanges Binance and Huobi froze accounts containing approximately $1.4 million in digital currency that originated from the June 2022 hack of Harmony's Horizon Bridge.
The attack, also blamed on the Lazarus Group, enabled the threat actors to launder some of the proceeds through Tornado Cash, which was sanctioned by the U.S. government in August 2022.
"The stolen funds remained dormant until recently, when our investigators began to see them funneled through complex chains of transactions, to exchanges," blockchain analytics firm Elliptic said last week.
What's more, there are indications that Blender – another cryptocurrency mixer that was sanctioned in May 2022 – may have resurrected as Sinbad, laundering nearly $100 million in Bitcoin from hacks attributed to the Lazarus Group, Elliptic's Tom Robinson told The Hacker News.
According to the company, funds siphoned in the wake of the Horizon Bridge heist were "laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers."
"Tornado Cash was used once again, but in place of Blender, another Bitcoin mixer was used: Sinbad."
Although the service launched only in early October 2022, it is estimated to have facilitated tens of millions of dollars from Horizon and other North Korea-linked hacks.
In the two-month period ranging from December 2022 to January 2023, the nation-state group has sent a total of 1,429.6 Bitcoin worth approximately $24.2 million to the mixer, Chainalysis revealed earlier this month.
The evidence that Sinbad is "highly likely" a rebrand of Blender stems from overlaps in the wallet address used, their nexus to Russia, and commonalities in the way both the mixers operate.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
"Analysis of blockchain transactions shows that a Bitcoin wallet used to pay individuals who promoted Sinbad, itself received Bitcoin from the suspected Blender operator wallet," Elliptic said.
"Analysis of blockchain transactions shows that almost all of the early incoming transactions to Sinbad (some $22 million) originated from the suspected Blender operator wallet."
Sinbad's creator, who goes by the alias "Mehdi," told WIRED that the service was launched in response to "growing centralization of cryptocurrency" and that it's a legitimate legitimate privacy-preserving project along the lines of Monero, Zcash, Wasabi, and Tor.
"Mixers can be used to help maintain your financial privacy, however this particular mixer has been used primarily to launder proceeds of hacks perpetrated by Lazarus Group," Robinson said.
The findings also arrive as healthcare entities are in the crosshairs of a new wave of ransomware attacks orchestrated by the Lazarus actors to generate illicit revenue for the sanctions-hit nation.
Profits made from these financially motivated attacks are used to fund other cyber activities that include spying on defense sector and defense industrial base organizations in South Korea and the U.S., per a joint advisory issued by the two countries.
But the law enforcement actions are yet to put a dampener on the threat actor's prolific attack spree, which has continued to evolve with new behaviors.
This comprises a wide range of anti-forensic techniques that are designed to erase traces of the intrusions as well as obstruct analysis, AhnLab Security Emergency response Center (ASEC) disclosed in a recent report.
"The Lazarus group performed a total of three techniques: data hiding, artifact wiping, and trail obfuscation," ASEC researchers said.