The U.S. Treasury Department has linked North Korean hacking group Lazarus to the recent theft of $625 million worth of cryptocurrency from the Ronin Network, an Ethereum-compatible blockchain tailored for the popular play-to-earn game Axie Infinity.
The hackers infiltrated the network last month, stealing about 173,600 ether, according to the Ronin Network, and 25.5 million USDC (a digital asset pegged to the value of the U.S. dollar and available on multiple blockchains including Ethereum and Solana). Blockchain analytics firm Elliptic says the group has managed to launder 18% of the stolen funds and continues to do so via Tornado Cash, a service that allows users to obfuscate their digital trails.
So what do we know about the culprits?
The Lazarus cyber collective has operated for more than 10 years with the North Korean government’s blessing, gaining notoriety for its attack on Sony Pictures in 2014 and an $81 million heist on the Central Bank of Bangladesh.
Top cybersecurity firms Kaspersky and Symantec have also linked Lazarus to the WannaCry ransomware attack that took place in May 2017. Users’ files were held hostage, and a bitcoin ransom was demanded for their return. The ransomware hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses, and leading to an estimated $4 billion in losses across the globe.
According to Elliptic and another blockchain intelligence firm Chainalysis, the hackers have been targeting crypto entities since at least 2018, laundering virtual currencies worth in excess of $200 million every year. A United Nations report submitted to the U.N. Security Council’s sanctions committee accused Pyongyang of using stolen funds from these attacks to support its nuclear and ballistic missile programs, Reuters reported in February.
Until last year, the majority of this activity was directed toward centralized cryptocurrency exchanges located in South Korea or elsewhere in Asia, according to Elliptic. However, in the past months, Lazarus has turned to decentralized financial services like Ronin (the company behind the network, Sky Mavis, is based in Vietnam).
Many features of the latest heist mirrored the methods used by the group in previous high-profile cases, says Elliptic, including the location of the victim, the possible use of social engineering, and the money laundering pattern. Specifically, by converting the stolen cryptocurrencies at decentralized exchanges, the hackers avoided the anti-money laundering (AML) and ‘know your customer’ (KYC) checks performed at centralized marketplaces—an increasingly common tactic seen in hacks of this type. Decentralized Finance protocols received 17% of all funds sent from illicit wallets in 2021, up from 2% in the previous year, according to Chainalysis.
However, part of the stolen ether was also laundered through centralized exchanges. “This strategy is uncommon for typical DeFi exploits given these exchanges’ AML obligations, though it has been observed more often in past Lazarus group-affiliated exploits,” said Elliptic.