US authorities link $600m cryptocurrency theft to notorious North Korean Lazarus group

US authorities link Ronin cryptocurrency theft to notorious North Korean Lazarus group

Image:
US authorities link Ronin cryptocurrency theft to notorious North Korean Lazarus group

The Ronin hack occurred in March 2022, resulting in the theft of more than $600 million in Ethereum and USDC stablecoins

The United States has linked North Korean hacking group Lazarus to the hack of Ronin network bridge, which resulted in the theft of hundreds of millions of dollars' worth of cryptocurrencies last month.

The US Treasury Department's Office of Foreign Asset Control (OFAC) last week published an updated sanctions list, revealing Lazarus' involvement in the hack.

OFAC added an Ethereum wallet address related to the Lazarus Group to the updated filing, and according to reports, the same wallet address was used by those behind the Ronin Network hack.

'Today, the FBI attributed North Korea based Lazarus Group to the Ronin Validator Security Breach,' Ronin Network said in an online post.

'The US Government, specifically the Treasury Department, has sanctioned the address that received the stolen funds.'

The hacking incident occurred in March 2022, resulting in the theft of more than $600 million in Ethereum and USDC stablecoins.

The attackers targeted the Ronin Network, a platform powering one of the world's most popular NFT video games, Axie Infinity. The Ronin Network serves as a bridge between Axie Infinity and cryptocurrency blockchains like Ethereum, enabling players to deposit and withdraw funds in and out of the game.

The security incident was discovered on the 23rd March, but Ronin and Axie Infinity operator Sky Mavis waited nearly a week, until the 29th March, to announce it.

The attacker used compromised private security keys to breach the network nodes that authenticate transfers to and from the Ronin blockchain. They took advantage of a basic security flaw: poor key management. They commandeered five validator nodes on the blockchain, out of a total of nine, which gave them sufficient authority to steal the cash.

More than 10 per cent of the funds withdrawn from Ronin have already been laundered, according to some blockchain data providers, and up to $10 million may be waiting to be cleansed.

The US Federal Bureau of Investigation (FBI) was able to track down the Ethereum wallet where the funds were first moved, and the OFAC then announced sanctions on it.

The designation confirmed that North Korea was behind the hack, according to blockchain analytics firms Chainalysis and Elliptic.

Lazarus, also known as Hidden Cobra, became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

The Reconnaissance General Department, North Korea's principal intelligence bureau, is said to be in charge of the Lazarus hacking squad, according to the US agencies.

The group is also accused of being involved in the WannaCry ransomware attacks, as well as the hacking of several multinational banks and customer accounts.

Cyber security firm Kaspersky warned in 2020 that Lazarus had significantly updated its attack tactics in an effort to remain undetected during cryptocurrency stealing campaigns. The researchers said they had found evidence suggesting that Lazarus was using messaging app Telegram to deliver malicious files to potential targets in order to steal cryptocurrency.

In December, the gang made headlines when it was claimed that it was targeting Linux computers in addition to Windows.

According to research by Chainalysis, North Korean hackers stole roughly $400 million in cryptocurrency last year. These cybercriminals mostly targeted investment businesses and bitcoin exchanges, according to the firm.