US Treasury traces Axie Infinity’s Ronin network attack to North Korean ‘Lazarus Group’

The US Treasury Department claims that Lazarus, a North Korean hacker group, is responsible for a $600 million crypto theft through the Axie Infinity-linked Ronin bridge.
US Treasury traces Axie Infinity's Ronin network attack to North Korean 'Lazarus Group'
US Treasury traces Axie Infinity’s Ronin network attack to North Korean ‘Lazarus Group’

On Thursday, the US Treasury Department added an Ethereum address to its list of sanctioned entities. The address “was implicated in the Ronin hack,” according to Chainalysis, a crypto analytics firm. Elliptic, a tracing agency, calculated that 14% of the stolen assets had been laundered by Thursday.

The FBI had linked Lazarus to the validator breach, and the Treasury Department had sanctioned the transactions, according to Ronin Network in a blog post.

“We are still in the process of installing additional security measures before redeploying the Ronin Bridge to prevent future risk,” the blog wrote, promising a comprehensive post-mortem before the end of the month.

Sky Mavis has since acknowledged the link in a follow-up to its original Ronin exploit piece. Chainalysis and Elliptic, two blockchain analytics companies, have also confirmed that the wallet address given by the US Treasury today is the same one used in the Ronin hack.

About the Lazarus group

Lazarus is a “state-sponsored hacker outfit,” according to the FBI, with its first strikes dating back to 2009. Lazarus is suspected of being behind the WannaCry ransomware assault in 2017, the Sony Pictures breach in 2014, and a series of attacks on pharmaceutical businesses in 2020.

In a blog post, Elliptic noted, “It is fairly unsurprising that this attack has been linked to North Korea.” “Many aspects of the attack echoed the Lazarus Group’s strategy in past high-profile attacks, including the victim’s location, the attack method (believed to have employed social engineering), and the group’s post-attack laundering routine.”

According to a source in the tracing business, this is the first time the Treasury’s sanctions office has blacklisted a purported Lazarus-held crypto wallet.

When the Ronin Network was hacked last month, the attacker took 173,600 WETH (Wrapped Ethereum) and 25.5 million USDC stablecoins, totaling $622 million at the time of discovery and disclosure on March 29. Based on the worth ($552 million) of the assets at the time of the attack, it’s the second-largest DeFi breach to date.