US officials link North Korean Lazarus hackers to $625M Axie Infinity crypto theft

U.S. officials have linked North Korean state-backed hacking group Lazarus to the recent theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity. 

The Treasury Department’s Office of Foreign Assets Control (OFAC) on Thursday announced new sanctions against an Ethereum wallet belonging to Lazarus. Blockchain analysis firms Elliptic and Chainalysis have both confirmed that the U.S. Treasury’s wallet address is identical to the one used in the Ronin hack, which saw the attackers exploit the network for 173,600 ether, or about $597 million, and $25.5 million worth of the stablecoin USDC. The heist, which totaled $625 million at the time, is the largest decentralized finance hack to date, according to the DeFiYield REKT database, which tracks DeFi scams, hacks and exploits.

The wallet itself — which held 148,000 ether as of Thursday — was discovered by the FBI as part of its ongoing investigation of the threat posed by North Korea and state-sponsored actors like Lazarus Group. Blockchain analysis firm Elliptic estimated that 14% of the stolen funds had already been laundered, while another $9.7 million worth is in intermediary wallets in preparation for laundering.

The newly announced sanctions prohibit U.S. individuals and entities from making transactions with the identified Ethereum account. This ensures the state-sponsored group — which has previously been linked to a 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks — can’t cash out through U.S.-based crypto exchanges any further funds they continue to hold.

“Many commentators believe that crypto assets stolen by Lazarus Group are used to fund the state’s nuclear and ballistic missile programs,” Elliptic said. “With recent reports that North Korea may be again preparing for nuclear testing, today’s sanctions activity highlights the importance of ensuring that Lazarus Group is not able to successfully launder the proceeds of these attacks.”

In an updated post about the incident, the Ronin Network, which is owned by developer group Sky Mavis, said it expects to deliver a full post-mortem of the crypto-heist by the end of the month. 

“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” Ronin says, adding that will bring its bridge back online “by the end of the month.” The bridge allows users to transfer funds between other blockchains and Axie Infinity and has been blocked off since the attack.

According to a recent report by blockchain analysis firm Chainalysis, North Korean hackers launched at least seven attacks on cryptocurrency platforms last year to steal almost $400 million worth of digital assets. As per the report, the Lazarus Group is suspected of carrying out the attacks.