Contents:
Blockchain analysts have discovered that North Korean hackers are laundering cryptocurrency proceeds from their heists despite U.S. sanctions. Through a single crypto-mixing service called Sinbad, the advanced persistent threat known as Lazarus Group has laundered about $100 million in stolen Bitcoin since October 2022.
Lazarus in Review
While referred to as one group, Lazarus describes multiple North Korean operators tasked by the government with gathering intelligence and stealing money. The North Korean threat actors also attacked health sector organizations in the United States and South Korea using several locker strains of ransomware.
Blender and Tornado Cash, which Lazarus used to launder close to $500 million in illicit cryptocurrency, were sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) last year.
In a hack later attributed to Lazarus, more than $600 million in crypto assets were stolen from Axie Infinity’s cross-chain bridge.
For a fee, cryptocurrency mixers/tumblers allow hackers to hide the origin and owners of funds by blending the assets of many users. OFAC sanctions did not stop Tornado Cash, but they stopped Blender, whose operator disappeared after taking almost $22 million in Bitcoin from the mixer.
According to blockchain analysis company Elliptic, there is a possibility that Blender’s operator started a new service called Sinbad, which is being used by Lazarus to launder assets.
Soon after the Harmony Horizon crypto heist in June 2022 that led to about $100 million in losses, strong links to Lazarus had emerged, something that the FBI confirmed earlier this year, by following the funds through the Tornado Cash mixing service.
Typically, the actor combined Tornado Cash crypto mixing with a custodial-based service, like Blender. This time though, they used another Bitcoin mixer called Sinbad.
Elliptic`s co-founder and chief scientist, Tom Robinson, has declared for BleepingComputer that, although the Sinbad service is “relatively small,” it has been used to launder the funds stolen by the Lazarus group.
Blender vs Sinbad
Since Blender and Sinbad are custodial mixers, all cryptocurrency that goes into the service is under the operator’s control; therefore, owners are confident enough to give up control.
Based on Elliptic’s analysis, it is highly likely that Sinbad is operated by the same individual or group that was behind Blender. According to the researchers, a “service” address on the Sinbad site received Bitcoin from a wallet believed to belong to Blender’s operator. Furthermore, almost all initial transactions coming to Sinbad, about $22 million, were funded with the same wallet.
Aside from the wallet, the researchers also observed a similar on-chain pattern behavior for both mixers.
The way in which the Sinbad mixer operates is identical to Blender in several ways, including ten-digit mixer codes, guarantee letters signed by the service address, and a maximum seven-day transaction delay.
Among the other similarities observed by the researchers were strong correlation between the websites, naming conventions, and language, as well as “a clear connection to Russia, with Russian-language websites and support.”
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
