In March 2022, the Lazarus Group, a North Korea-backed hacking group, stole around $5.84 million worth of cryptocurrency through the Axie Infinity Ronin Bridge hack. However, over ten months later, the Norwegian police agency Økokrim announced they had seized the stolen funds.
The crime-fighting unit was able to track the money on the blockchain, even when criminals used sophisticated techniques. They worked closely with international law enforcement partners to follow the money trail and disrupt criminals’ money laundering activities, which could have potentially supported North Korea’s nuclear weapons program.
Additionally, blockchain analytics firm Elliptic reported that cryptocurrency exchanges Binance and Huobi froze accounts containing approximately $1.4 million in digital currency originating from the June 2022 hack of Harmony’s Horizon Bridge. The hack was also attributed to the Lazarus Group, who laundered some of the stolen money through Tornado Cash, which the U.S. government sanctioned in August 2022. Elliptic’s Tom Robinson claimed that Blender, another cryptocurrency mixer sanctioned in May 2022, may have resurfaced as Sinbad, laundering almost $100 million in Bitcoin from hacks attributed to the Lazarus Group. Evidence suggests that Sinbad is a rebrand of Blender due to overlaps in the wallet address used, their connection to Russia, and the way both mixers operate.
The Lazarus Group’s financially motivated attacks continue to fund other cyber activities, including spying on defense sector and defense industrial base organizations in South Korea and the United States. These findings are especially concerning since healthcare entities are facing a new wave of ransomware attacks orchestrated by the group. Despite the police’s efforts, the Lazarus Group’s attack spree continues to evolve with new behaviors, using anti-forensic techniques that erase traces of the intrusions and obstruct analysis.