Police arrest man for laundering tens of millions in stolen crypto

The Dutch police arrested a 39-year-old man on suspicions of laundering tens of millions of euros worth of cryptocurrency stolen in phishing attacks.

‘Politie Gelderland’ (Eastern) worked closely with the country’s central cybercrime team to monitor specific bitcoin transactions and eventually traced the man to the village of Veenendaal.

The arrest occurred in the early morning of September 6, 2022, with the police seizing devices and “data carriers” to aid the ongoing investigations.

“The expected profit that the man made from money laundering was seized in cryptocurrency by the police,” reads the announcement, so the police confiscated digital assets too.

The suspect was released on September 8, 2022, but remains a suspect as the police continue to conduct their investigation.

Electrum updates and Bisq laundering

According to the police’s press statement, law enforcement was able to track down the suspect by following crypto stolen using a malicious software update for the Electrum wallet.

Electrum is a popular open-source Bitcoin wallet app that lets users securely manage their digital assets, featuring smart recovery, cold storage, exporting, and support for third-party plugins.

While the police did not provide many details on the attack, they did tell BleepingComputer that attackers distributed this malicious Electrum update through phishing attacks.

“The funds were stolen after phishing with malicious Electrum software pushed through malicious servers,” the Dutch police told BleepingComputer.

There are not many details on this rogue Electrum update, but it is possible it installed an info-stealing malware that stole cryptocurrency wallets from infected victims. For example, multiple information stealers support Electrum exfiltration today, such as the recently launched Raccoon Stealer 2.0.

Another possibility that has become very popular among threat actors is to use modified wallets or phishing attacks to steal seeds/recovery phrases used that can be used to restore an existing wallet on a new device.

A phishing attack stealing a TrustWallet recovery phrase
A phishing attack stealing a TrustWallet recovery phrase
Source: BleepingComputer

Once a threat actor has access to a victim’s seed phrase, they can restore the wallet on their own devices and steal all of the cryptocurrency contained within it.

Numerous attacks consisting of fake updates, phishing, and modified hardware devices have been used to steal recovery/seed phrases for TrustWalletMetamaskLedger, and Trezor wallets.

Next, the suspect allegedly took the funds to Bisq, a decentralized peer-to-peer exchange network that enables users to trade between various cryptocurrencies without requiring registration or KYC (know your customer) details.

The individual used Bisq to trade Bitcoin for the hard-to-trace, privacy coin known as Monero to obscure the money trail and enable threat actors to convert to fiat money without fearing prosecution.

Like the recently sanctioned Tornado Cash platform, Bisq is an open-source project created to help cryptocurrency investors protect their privacy. But unfortunately, it is also subject to abuse for malicious purposes.

The Dutch police told BleepingComputer that they first learned of these attacks after “Electrum-users from the Netherlands and Italy reported the phishing with malicious Electrum software.”