Posted on February 12, 2023 at 4:33 PM
North Korean Lazarus group launders $100M worth of stolen crypto through Sinbad
North Korean threat actor groups have looked for a new way of circumventing sanctions imposed by the United States and other Western countries. A recent report by blockchain analysts noted that the Lazarus group has been using a crypto-mixing tool known as Sinbad to launder stolen funds.
Lazarus uses a new crypto mixer tool to launder stolen crypto
The Lazarus Group has been attributed to some of the largest hacking attacks in the cryptocurrency sector. The threat actor group has laundered around $100 million worth of stolen Bitcoin since October 2022 using Sinbad. The latter is a single crypto mixer tool.
The threat actor group seems to be actively looking for a new mixer tool to launder stolen digital assets. In 2022, the Office of Foreign Assets Control (OFAC) at the US Treasury imposed sanctions against two crypto mixing tools, Tornado Cash and Blender. The Lazarus hacking group has been using these tools to launder nearly $500 million of stolen crypto assets.
The sanctions were imposed shortly after these hackers were linked to an over $600 million heist on the Axie Infinity cross-chain bridge. Mixer tools are largely used by hackers and people conducting fraudulent activities to hide the transaction details of funds by mixing the assets of various users.
The OFAC sanctions did not entirely shut down the operations of Tornado Cash, and the mixer tool remains one of the most widely used tools. However, the operations of Blender were halted, with the owner disappearing with nearly $22 million worth of Bitcoin taken from the mixer. According to Elliptic, the operator of Blender is likely behind a new crypto-mixing service known as Sinbad.
The co-founder and chief scientist of the blockchain analysis company said that the activity of the Lazarus hacking group on Sinbad started with the Harmony bridge hack, where nearly $100 million worth of crypto assets were stolen. The FBI linked the hack to Lazarus, with the hacking group directing the funds to the Tornado Cash crypto mixing service.
The hackers used the Tornado cash mixer alongside a custodial platform like Blender. However, they have now started using a Bitcoin mixer known as Sinbad. The firm noted that while Sinbad was “relatively small,” it was used to launder funds for the North Korean hacking group. Elliptic said that Lazarus had laundered tens of millions of dollars from Harmony and other hacks using Sinbad.
Similarities between Blender and Sinbad
There are notable similarities between Blender and the Sinbad crypto mixing tools. The two platforms are custodial mixers, meaning the operator controls all the crypto assets sent to the platform. This gives the owners the confidence to use the tool.
According to Elliptic, the similarities between the two tools show that they are operated by the same individual behind Blender. A service address on Sinbad received Bitcoin from a wallet address linked to the operator of Blender. This wallet was also used to promote Sinbad and fund most transactions coming to the mixer tool. This amount was worth around $22 million.
Besides the close association between the wallet of Blender’s operator and Sinbad, researchers have also noticed that the on-chain behavior of the two mixers follows the same pattern. This includes the two mixers displaying the detailed features of the transactions.
The Elliptic researchers further said that “the way in which the Sinbad mixer operates is identical to Blender in several ways, including ten-digit mixer codes, guarantee letters signed by the service address, and a maximum seven-day transaction delay.”
Some of the most common features that the researchers detected were that there were also solid similarities between the two websites. These websites used similar language and the use of naming conventions. They also showed a close association with Russia, with support for the Russian language and websites.
Lazarus is believed to be a state-sponsored hacking group in North Korea. The group is tasked with a wide range of tasks by the government, including gathering intelligence and obtaining funds that support the country’s priorities and objectives. The United Nations noted that North Korea has been using stolen cryptocurrencies to fund its missile program.
The operations of the Lazarus hacking group are broad. The group targets cryptocurrency platforms and is notorious for ransomware attacks. The group is attributed to several ransomware attacks targeting healthcare groups in the United States and South Korea.