15 Apr 2022 · 3 min read

North Korea’s Lazarus Group Behind Axie Infinity's Ronin Hack, Say US Treasury, FBI

Pyongyang. Source: Adobe/Oleg Znamenskiy

 

The United States Treasury Department has sanctioned an ethereum (ETH) address that it says received coins stolen in the Ronin Bridge hack – and the FBI has claimed that the North Korean Lazarus group of hackers was behind the security breach.

The address in question currently contains almost USD 446m worth of ETH and has been particularly busy in the past few days. The sanctions announcement claimed that Lazarus was based in the Potonggang District, of the North Korean capital Pyongyang, a claim also voiced in the past by the FBI.

The validator is used to connect the play-to-earn gaming title Axie Infinity’s Ronin bridge, which allows users to send cryptoassets to and from the Ethereum network to Axie’s Ronin sidechain – and was exploited for some USD 600m in late March. The hack is one of the largest ever in the decentralized finance (DeFi) space.

In an April 14 update to the Ronin newsletter on the hack – originally published just after last month’s hack – the Ronin Network wrote that it was “still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” adding that users could “expect the bridge to be deployed by end of [the] month.”

It also promised a “full post mortem that will detail security measures put in place and next steps” – also “by the end of the month.”

The blockchain analytics firm Chainalysis backed the claim on Twitter, stating that the address had received ETH 173,600 (currently worth around USD 525m), as well as USD 25.5m worth of the stablecoin USD coin (USDC) “from the Ronin Bridge smart contract during the attack.”

The company added that the crypto industry needed greater “understanding of how [North Korea]-affiliated threat actors exploit crypto,” as well as “better security for DeFi protocols.”

In an updated post on the hack, Elliptic, another major blockchain analytics firm, stated that its own “internal analysis” had found that the “attacker has managed to launder 18% of their stolen funds as of April 14.

The company explained:

“First, the stolen USDC was swapped for ETH through decentralized exchanges (DEXes) to prevent it from being seized. Tokens such as stablecoins are controlled by their issuers, who in some cases can freeze tokens involved in illicit activity.”

Using DEXes allowed the hacker to sidestep anti-money laundering (AML) and know your customer (KYC) checks and then “began laundering USD 16.7m worth of ETH through three centralized exchanges,” Elliptic wrote, adding:

“This strategy is uncommon for typical DeFi exploits given these exchanges’ AML obligations, though it has been observed more often in past Lazarus group-affiliated exploits.”

North Korea has repeatedly denied that it seeks to hack crypto and has refuted accusations surrounding the Lazarus group, which has previously been accused of masterminding the 2014 hack of Sony Pictures and the 2017 Wannacry ransomware attacks.

Pyongyang denies the existence of Lazarus, as well as alleged individual members of the group that have been named by the FBI, including Park Jin-hyok. It has also previously claimed that accusations of crypto theft were “the sort of fabrication that only the United States” was capable of “inventing” – calling the American government “kings” of hacking.
____
Learn more: 
- Axie Infinity’s Ronin Hack Exposes Risks of Proof-of-Stake and Centralization – Analysts
- Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes 

- Five-year Jail Term: Has Virgil Griffith Become Ethereum’s Ross Ulbricht?
- North Korea Views its USD 1.7B Crypto Hack Hauls as a ‘Long-term Investment’