The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity’s Ronin Network last month.
On Thursday, the Treasury tied the Ethereum wallet address that received the stolen funds to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) List.
“The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime,” the intelligence and law enforcement agency said in a statement.
The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their digital assets from one crypto network to another, on March 23, 2022.
“The attacker used hacked private keys in order to forge fake withdrawals,” the Ronin Network explained in its disclosure report a week later after the incident came to light.
The sanctions prohibit U.S. individuals and entities from transacting with the address in question to ensure that the state-sponsored group can’t cash out any further funds. An analysis by Elliptic has found that the actor has managed to launder 18% of the siphoned digital funds (about $97 million) as of April 14.
“First, the stolen USDC was swapped for ETH through decentralized exchanges (DEXs) to prevent it from being seized,” Elliptic noted. “By converting the tokens at DEXs, the hacker avoided the anti-money laundering (AML) and ‘know your customer’ (KYC) checks performed at centralized exchanges.”
Nearly $80.3 million of the laundered funds have involved the use of Tornado Cash, a mixing service on the Ethereum blockchain designed to obscure the trail of funds, with another $9.7 million worth of ETH likely to be laundered in the same manner.
Lazarus Group, an umbrella name assigned to prolific state-sponsored actors operating on behalf of North Korean strategic interests, has a track record of conducting cryptocurrency thefts since at least 2017 to bypass sanctions and fund the country’s nuclear and ballistic missile programs.
“The country’s espionage operations are believed to be reflective of the regime’s immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, [and] information on foreign relations and nuclear information,” Mandiant pointed out in a recent deep dive.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has painted the cyber actors as an increasingly sophisticated group that has developed and deployed a wide range of malware tools around the world to facilitate these activities.
The group is known to have plundered an estimated $400 million worth of digital assets from crypto platforms in 2021, marking a 40% jump from 2020, according to Chainalysis, which found “only 20% of the stolen funds were Bitcoin, [and that] Ether accounted for a majority of the funds stolen at 58%.”
Despite sanctions imposed by the U.S. government on the hacking collective, recent campaigns undertaken by the group have capitalized on trojanized decentralized finance (DeFi) wallet apps to backdoor Windows systems and misappropriate funds from unsuspecting users.
That’s not all. In another cyber offensive disclosed by Broadcom Symantec this week, the actor has been observed targeting South Korean organizations operating within the chemical sector in what appears to be a continuation of a malware campaign dubbed “Operation Dream Job,” corroborating findings from Google’s Threat Analysis Group in March 2022.
The intrusions, detected earlier this January, commenced with a suspicious HTM file received either as a link in a phishing email or downloaded from the internet that, when opened, triggers an infection sequence, ultimately leading to the retrieval of a second-stage payload from a remote server to facilitate further incursions.
The goal of the attacks, Symantec assessed, is to “obtain intellectual property to further North Korea’s own pursuits in this area.”
The continuous onslaught of illicit activities perpetrated by the Lazarus Group has also led the U.S. State Department to announce a $5 million reward for “information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea.”
The development comes days after a U.S. court in New York sentenced Virgil Griffith, a 39-year-old former Ethereum developer, to five years and three months in prison for helping North Korea use virtual currencies to evade sanctions.
To make matters worse, malicious actors have pilfered $1.3 billion worth of cryptocurrency in the first three months of 2022 alone, in comparison to $3.2 billion that was looted for the entirety of 2021, indicating a “meteoric rise” in thefts from crypto platforms.
“Almost 97% of all cryptocurrency stolen in the first three months of 2022 has been taken from DeFi protocols, up from 72% in 2021 and just 30% in 2020,” Chainalysis said in a report published this week.
“For DeFi protocols in particular, however, the largest thefts are usually thanks to faulty code. Code exploits and flash loan attacks — a type of code exploit involving the manipulation of cryptocurrency prices — has accounted for much of the value stolen outside of the Ronin attack,” the researchers said.