Recent reports from the U.S. Treasury Department have identified the North Korea-affiliated Lazarus Group, also referred to as Hidden Cobra, as the entity responsible for the $540 million theft from the Ronin Network, which is associated with the popular video game Axie Infinity. This incident, occurring last month, underscores the escalating threats posed by this state-sponsored group.
On Thursday, the Treasury announced a direct connection between the Ethereum wallet address that received the stolen digital assets and the Lazarus Group. This led to sanctions being imposed by adding the address to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) List, effectively blocking U.S. individuals and entities from engaging in transactions involving these funds.
In a statement highlighting their commitment to combatting cybercrime, the FBI, in partnership with the Treasury and other government agencies, emphasized the ongoing efforts to disrupt illicit activities orchestrated by North Korea. This reflects a broader strategy to mitigate the economic underpinnings of the regime, particularly through cybercrime and cryptocurrency theft.
The theft, which ranks as the second-largest cyber-enabled heist to date, involved the extraction of 173,600 Ether (ETH) and 25.5 million USD Coin from the Ronin cross-chain bridge on March 23, 2022. The attackers reportedly exploited compromised private keys to engineer fraudulent withdrawals, an assertion supported by a disclosure report from the Ronin Network.
By sanctioning the implicated wallet address, the Treasury has attempted to thwart any further cashing out by the Lazarus Group. Analysis from Elliptic suggests that approximately 18% of the stolen funds, or around $97 million, have been laundered as of April 14. This was achieved through exchanges that evade the stringent anti-money laundering (AML) and know your customer (KYC) measures typically required by conventional platforms.
Notably, around $80.3 million of the laundered amount reportedly involved Tornado Cash, an Ethereum-based mixing service, with an additional $9.7 million likely to be laundered similarly. The Lazarus Group has a well-documented history of executing cryptocurrency thefts dating back to 2017, using these funds to circumvent international sanctions aimed at funding North Korea’s nuclear and ballistic missile initiatives.
Mandiant, a cybersecurity firm, observes that North Korea’s espionage efforts are closely aligned with the nation’s immediate strategic needs, with a notable focus on securing financial resources via cyber heists and targeting various information streams. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has further characterized these cyber actors as increasingly sophisticated, utilizing a diverse array of malware tools globally to enhance their operations.
Despite existing sanctions, the Lazarus Group’s recent activities reflect persistent attempts to exploit vulnerabilities within decentralized finance (DeFi) ecosystems. Reports reveal a 97% surge in cryptocurrency thefts in the first quarter of 2022 compared to the entirety of 2021, primarily attributable to code exploits and flash loan attacks targeting DeFi protocols, with faulty code often to blame for these large-scale breaches.
The vast criminal enterprise of the Lazarus Group has prompted the U.S. State Department to offer a $5 million reward aimed at gathering intelligence that could disrupt the financial machinations of individuals engaged in supporting North Korea’s illicit activities. This follows the sentencing of a former Ethereum developer, emphasizing the growing legal repercussions tied to aiding such nefarious operations.
As this situation continues to evolve, business owners and stakeholders in the tech sector must remain vigilant. Awareness of tactics usable in these types of attacks—as categorized by the MITRE ATT&CK framework—such as initial access, privileged escalation, and obfuscation techniques—is essential for developing robust security postures against these persistent threats.
