The U.S. Treasury Department on Thursday added a new Ethereum address to its sanction list and linked it to North Korean hackers known as the Lazarus Group. Blockchain researchers said the address was likely behind the March hack of Ronin Bridge, a blockchain network connected to the popular play-to-earn game Axie Infinity, where more than $600 million worth of cryptocurrencies were stolen.
The address received 173,600 ether ETHUSD and 25.5 million exploited from the Ronin attack, according to several blockchain analytics providers. Ronin Network provides a bridge that allows transfer of tokens between Ethereum and Axie Infinity.
Known for its alleged hack against Sony Pictures and the WannaCry ransomware attack, Lazarus Group and other North Korean hackers launched at least seven attacks in total in 2021 on crypto platforms, exploiting almost $400 million worth of funds, according to crypto compliance company Chainalysis.
A representative of the Treasury Department didn’t immediately respond to a request seeking comment.
“North Korea is, in most respects, cut off from the global financial system by a long sanctions campaign by the U.S. and foreign partners,” Ari Redbord, head of legal and government affairs at crypto risk management company TRM Labs wrote in an email to MarketWatch. As a result, the nation launched cryptocurrency hacks that amounted to “essentially bank robbery” to fund weapon programs, nuclear proliferation and other activities, according to Redbord.
In the Ronin hack, all evidence pointed to the attack being socially engineered, rather than conducted through the exploitation of a technical flaw, according to a March 30 blog post by Ronin Network. Ronin is secured by nine validator nodes, while five were hacked to attack the network, according to the post.
Laundering the stolen funds
Lazarus Group has grown increasingly sophisticated in laundering stolen funds, often using multiple mixing services and other obfuscation techniques, according to TRM’s Redbord. However, as the attackers are “ultimately not concerned with being caught,” they usually focus on moving the funds quickly before they are frozen, instead of engaging in lengthy and expensive obfuscation techniques, Redbord said.
The Ronin hack followed the same pattern. As of Thursday, the hackers had laundered 18% of the stolen funds, according to blockchain analysis provider Elliptic.
They first swapped the stablecoin USDC for ether through decentralized exchanges, as stablecoin issuers could freeze tokens in illicit activity in certain cases, according to Elliptic. Meanwhile, they chose to operate via decentralized exchanges to bypass anti-money laundering and the so-called “know your customer” measures implemented by most centralized crypto exchanges.
However, the hackers also tried to launder almost $17 million ether through three centralized exchanges, an uncommon practice, Elliptic said. After the exchanges said they’d work with law enforcement, the attacker shifted to Tornado Cash, a decentralized protocol that allows users to conduct private transactions, having sent $80.3 million worth of ether to the mixing service so far, according to Elliptic.
Roughly $433 million still remains in the attacker’s original wallet, Elliptic noted.
Ether is trading at around $3,030.5, up 1.4% over the past 24 hours, according to CoinDesk data.