Cryptocurrency worth more than $30 million looted from online video game Axie Infinity by North Korea-affiliated Lazarus Group has been recovered, marking the first time digital assets stolen by the threat actor have been seized.
“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (taking into account the price differential between stolen and seized time) and show that bad actors are finding it increasingly difficult to successfully cash out their ill-gotten crypto winnings.” Erin Plante , Senior Director of Investigations at Chainalysis, said.
The development comes more than five months after the crypto hack led to the theft of $620 million from decentralized finance (DeFi) platform Ronin Network, with the attackers stealing much of the proceeds — worth $455 million — through the Ethereum-based cryptocurrency, Becher Tornado Cash.
The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH worth about $594 million at the time and $25.5 million in USDC stablecoin, making it the largest cryptocurrency theft to date.
Although Tornado Cash has become a popular tool for anonymizing virtual currency transactions, its misuse by malicious actors like the Lazarus Group to pay out the illegally obtained assets has drawn it into the crosshairs of the US government, which has recently imposed sanctions on the service has month.
The blockchain analytics firm said the blocklisting forced the adversary to move away from the mixer in favor of DeFi services like crypto bridges to chain jump and move digital assets between chains to obscure the trail of funds.
“The hacker bridged ETH from the Ethereum blockchain to the BNB chain and then exchanged that ETH for USDD, which was then bridged to the BitTorrent chain,” Plante said, describing the switch between multiple different types of cryptocurrencies in a single transaction to launder the stolen funds.
The Lazarus Group is a prolific Advanced Persistent Threat (APT) fueled by efforts to support North Korea’s operational goals, which include spying and generating revenue for the sanctions-hit nation through striking financial institutions. Most cyber operations are conducted by elements within the Reconnaissance General Bureau.
The seizure also comes as six Tornado Cash users, including Coinbase employees, filed a lawsuit this week against the U.S. Treasury Department, Treasury Secretary Janet Yellen and other officials over their decision to impose sanctions on the platform.
The crypto recovery is also an indication of the progress made by US authorities in their ability to track down and seize illicit cryptocurrency funds from various cybercrimes. In late July, the Justice Department announced the seizure of $500,000 worth of Bitcoin from a North Korean hacking crew extorting digital payments from healthcare facilities using a new strain of ransomware called Maui.