Dutch police have arrested a 39-year-old man suspected of laundering tens of millions of euros in stolen cryptocurrency in phishing attacks.

“Politie Gelderland” (East) worked closely with the country’s central cybercrime team to monitor specific bitcoin transactions and eventually tracked the man down to the village of Veenendaal.

The arrest took place in the early morning of September 6, 2022, as police seized devices and “data carriers” to aid ongoing investigations.

“The man’s expected profit from money laundering was seized in cryptocurrency by police,” the ad reads, so police also confiscated the digital assets.

The suspect was released on September 8, 2022, but remains a suspect as police continue their investigation.

Electrum Updates and Bisq Whitening

According police press releaselaw enforcement was able to track down the suspect by tracking the stolen crypto using a malicious software update for the Electrum wallet.

Electrum is a popular open-source bitcoin wallet application that allows users to securely manage their digital assets, with smart recovery, cold storage, export, and support for third-party plugins.

Although the police did not provide many details about the attack, they told BleepingComputer that the attackers distributed this malicious Electrum update through phishing attacks.

“The funds were stolen after a phishing attack with Electrum malware pushed through malicious servers,” Dutch police told BleepingComputer.

There are not many details about this malicious Electrum update, but it is possible that it installed information-stealing malware that stole cryptocurrency wallets from infected victims. For example, several infostealers support Electrum exfiltration today, such as the recently launched Raccoon Thief 2.0.

Another possibility that has become very popular among threat actors is to use modified wallets or phishing attacks to steal seeds/recovery phrases used which can be used to restore an existing wallet to a new device.

Once a hacker has access to a victim’s seed phrase, they can restore the wallet to their own devices and steal all the cryptocurrency inside.

Numerous attacks consisting of fake updates, phishing and modified hardware devices have been used to steal recovery/seed phrases for Trust Wallet, Metamask, registerand Trezor wallets.

Then, the suspect reportedly took the funds to Bisq, a decentralized peer-to-peer exchange network that allows users to trade between various cryptocurrencies without requiring registration or KYC (know your customer) details.

The individual used Bisq to exchange Bitcoin for the hard to traceprivacy coin known as Monero to hide the money trail and allow threat actors to convert to fiat currency without fear of prosecution.

As the recently sanctioned Tornado Cash platform, Bisq is an open-source project created to help cryptocurrency investors protect their privacy. But unfortunately, it is also abused for evil purposes.

Dutch police told BleepingComputer they first learned of the attacks after “Electrum users from the Netherlands and Italy reported phishing with Electrum malware.”