NewsCoins

US Treasury Connects North Korean Hackers to $622M Axie Infinity Exploit

The U.S. Treasury added the Ronin attackers' Ethereum wallet address to its sanctions list, tying it to the Lazarus Group.

3 min read
Axie Infinity. Image: Sky Mavis

In brief

  • The U.S. Treasury added an Ethereum wallet address to its sanctions list today, tying it to North Korea's Lazarus Group.
  • It's the same address tied to last month's $622 million attack of Axie Infinity's Ronin Network.

North Korean hacking group Lazarus is allegedly responsible for last month's $622 million hack of Ronin Network, an Ethereum sidechain used by play-to-earn crypto game, Axie Infinity.

The connection was revealed today when the United States Department of the Treasury announced that it added a new Ethereum wallet address to its list of sanctions for the Lazarus Group. It's the same wallet address that Axie Infinity creator Sky Mavis named as the Ronin attacker in late March.

CoinDesk first reported the news. A look at Ethereum wallet explorer Etherscan shows the label "Ronin Bridge Exploiter" for the wallet.

Sky Mavis has since acknowledged the connection in an update to its original post about the Ronin exploit. Blockchain analytics firms Chainalysis and Elliptic have similarly affirmed that the wallet address listed by the U.S. Treasury today is the same used in the Ronin exploit.

The FBI has labeled Lazarus as a “state-sponsored hacking organization,” and its earliest attacks date back to 2009. Lazarus is allegedly responsible for the 2017 WannaCry ransomware attack, 2014’s breach of Sony Pictures, and a series of attacks on pharmaceutical companies in 2020.

“It is somewhat unsurprising that this attack has been attributed to North Korea,” Elliptic wrote in a blog post. “Many features of the attack mirrored the method used by Lazarus Group in previous high-profile attacks, including the location of the victim, the attack method (believed to have involved social engineering) and the laundering pattern utilized by the group after the event.”

The Ronin Network exploit took place on March 23, when the bridge connecting Ronin to the Ethereum mainnet was attacked using hacked private keys, which are cryptographic keys used to sign transactions. The hacked keys were used to approve the transfer of funds from five of the nine active validator nodes on Ronin.

All told, the attacker stole 173,600 WETH or Wrapped Ethereum and 25.5 million USDC stablecoin, which were collectively worth about $622 million when the hack was discovered and disclosed on March 29. It’s the second-largest DeFi hack to date based on the value ($552 million) of the assets when the attack took place.

In the weeks since, Sky Mavis has announced a $150 million funding round led by Binance to help reimburse users affected by the attack. Sky Mavis will also tap its own balance sheet to ensure that users can withdraw their funds, but it ultimately hopes to recover stolen funds over the next two years.

Elliptic reports that 18% of the stolen funds have been laundered to date by sending them to various crypto exchanges, as well as through Tornado Cash, a smart contract-powered service that mixes transactions to make them difficult to trace. The wallet still holds 147,753 ETH, which is worth about $444 million as of this writing.

Editor's note: This story was updated after publication to provide additional details about the Ronin hack and to include responses from Sky Mavis, Chainalysis, and Elliptic.

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!