US authorities link $600 million cryptocurrency theft to infamous North Korean Lazarus group


The United States has linked North Korean hacking group Lazarus to the Ronin network bridge hack that led to the theft of hundreds of millions of dollars worth of cryptocurrencies last month.

The US Treasury Department’s Office of Foreign Asset Control (OFAC) released an updated sanctions list last week, revealing Lazarus’ involvement in the hack.

OFAC added an Ethereum wallet address related to the Lazarus Group to the updated filing, and the same wallet address was reportedly used by those behind the Ronin network hack.

“Today, the FBI attributed the North Korea-based Lazarus Group to the Ronin Validator Security Breach,” Ronin Network said in an online post.

“The US government, particularly the Treasury Department, has sanctioned the address that received the stolen funds.”

The hacking incident happened in March 2022 and resulted in the theft of more than $600 million in Ethereum and USDC stablecoins.

The attackers targeted the Ronin Network, a platform powering one of the world’s most popular NFT video games, Axie Infinity. The Ronin Network serves as a bridge between Axie Infinity and cryptocurrency blockchains like Ethereum, allowing players to deposit and withdraw funds into the game.

The security incident was discovered on March 23, but Ronin and Axie Infinity operator Sky Mavis waited nearly a week, until March 29, to announce it.

The attacker used compromised private security keys to breach the network nodes that authenticate transmissions to and from the Ronin blockchain. They exploited a fundamental security flaw: poor key management. They seized five validator nodes out of a total of nine on the blockchain, giving them sufficient powers to steal the funds.

According to some blockchain data providers, more than 10 percent of the funds siphoned by Ronin have already been laundered, and as much as $10 million may be waiting to be cleaned.

The US Federal Bureau of Investigation (FBI) was able to locate the Ethereum wallet where the funds were first moved to, and OFAC subsequently announced sanctions against it.

The naming confirmed that North Korea was behind the hack, according to blockchain analytics firms Chainalysis and Elliptic.

Lazarus, also known as Hidden Cobra, became widely known in 2014 when it hacked Sony Pictures over the film The interviewa comedy about the assassination of North Korean leader Kim Jong-un.

The Reconnaissance General Department, North Korea’s most important intelligence agency, is said to be responsible for the Lazarus hacking force, according to US authorities.

The group is also accused of being involved in the WannaCry ransomware attacks, as well as hacking several multinational banks and customer accounts.

Cybersecurity firm Kaspersky warned in 2020 that Lazarus had significantly updated its attack tactics to remain undetected in cryptocurrency theft campaigns. The researchers said they found evidence suggesting Lazarus uses the messaging app Telegram to deliver malicious files to potential targets to steal cryptocurrency.

In December, the gang made headlines when it was claimed they were targeting Linux computers in addition to Windows.

According to research by Chainalysis, North Korean hackers stole around $400 million worth of cryptocurrencies last year. According to the company, these cybercriminals mainly targeted investment companies and bitcoin exchanges.


About Author

Comments are closed.