The US Treasury department has added the North Korea-based hacker collective that calls itself Lazarus Group to its international sanctions list, saying the group was responsible for the big crypto-heist of Axie Infinity that made off with more than $600 million in March.
Axie Infinity makes use of a "sidechain" called Ronin that enables users to access the Ethereum blockchain without incurring many of the standard NFT transaction fees. Essentially, the Ronin and Ethereum blockchains run in parallel, connected by a digital "bridge" that allows the movement of cryptocurrency between them. Unfortunately, an exploit in that bridge also enabled hackers to make off with 173,600 Ethereum and 25.5M USDC, which at the time of the theft converted to more than $600 million.
The Treasury Department's "Specially Designated Nationals List" update doesn't reference that crime explicitly, but it does list a "digital currency address" for Lazarus Group that Etherscan currently identifies as "Ronin Bridge Exploiter," and states "is reported to be involved in a hack targeting the Ronin bridge."
The Treasury Department confirmed the connection in a statement sent to PC Gamer, saying that the list was updated to include the virtual wallet associated with the Axie Infinity heist. The wallet itself was discovered by the FBI as part of its ongoing investigation of the threat posted by North Korea and state-sponsored actors like Lazarus Group.
"The FBI continues to combat malicious cyber activity including the threat posed by the Democratic People's Republic of Korea to the US and our private sector partners," an FBI representative told PC Gamer.
"Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th. The FBI, in coordination with Treasury and other U.S. Government partners, will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime."
Sky Mavis, which runs Axie Infinity, also noted the involvement of the FBI in an update on the Ronin blog. "Today, the FBI attributed North Korea based Lazarus Group to the Ronin Validator Security Breach," it wrote. "The US Government, specifically the Treasury Department, has sanctioned the address that received the stolen funds."
This isn't the first time we've heard about Lazarus Group. ChainAlysis said in January that North Korea had made off with at least $400 million in stolen digital assets in 2021, most of it taken by Lazarus Group. Assuming that's accurate, the Axie Infinity heist represents a serious escalation, outpacing the entire take of the previous year in a single job.
THREAD: Updates to OFAC’s SDN designation for Lazarus Group confirm that the North Korean cybercriminal group was behind the March hack of Ronin Bridge, in which over $600 million worth of ETH and USDC was stolen.April 14, 2022
Elliptic, another cryptosecurity firm, estimated that North Korea has already laundered 18% of the stolen funds; the balance, combined with the $170 million in stolen crypto North Korea was reported to be holding in January, means the nation is now sitting on more than a half-billion in unlaundered crypto.
As for why North Korea is pulling crypto-heists, the Treasury Department said the country is attempting to evade US and UN sanctions in order to find funding for its weapons programs, which is why the agencies pursue sanctions programs so aggressively. The effort isn't toothless: The US recently jailed a former employee of the Ethereum Foundation for more than five years, and imposed a $100,000 fee, for traveling to North Korea in 2019 to give a presentation on "using cryptocurrency technologies to evade sanctions and launder money."
As for Axie Infinity, the developers said in their last update that they're still adding additional security measures to the Ronin Bridge and hope to have it redeployed by the end of April. But Axie may have a potentially even bigger problem on its hands: As reported by GamesRadar, digital "landlords" in the game are having difficulty finding players willing to fill quotas and help them earn profits on their NFT creatures. Sky Mavis acknowledged the issue in February when it removed daily quests in an effort to reduce the amount of SLP rewards flowing into the game, saying, "the Axie economy requires drastic and decisive action now or we risk total and permanent economic collapse."