US Identifies North Korean Hackers in the Axie Infinity Theft

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has flagged the address that received the stolen crypto from the Ronin network. The address has been sanctioned, and the Federal Bureau of Investigation (FBI) has confirmed that two North Korean hacking groups were responsible for the Ronin hack. These groups, the Lazarus group and BlueNorOff (also known as APT38), are believed to be managed and supported by North Korea’s primary intelligence agency.

The FBI issued a statement confirming that the Lazarus group and APT38 were behind the theft of over $600 million in Ethereum, which occurred on March 29th. The cybercriminals are believed to have ties with the Democratic People’s Republic of Korea (DPRK).

The Lazarus group became widely known in 2014 after allegedly hacking Sony Pictures Entertainment in retaliation for the movie “The Interview,” which mocked North Korea’s leader Kim Jong Un. The group has also been involved in the Wannacry ransomware attack and hacking international customer bank accounts.

The FBI emphasized its ongoing efforts to collaborate with the Treasury and other U.S. government agencies to expose and counter the DPRK’s illicit activities, including cybercrime and crypto theft, which are used to fund its weapons of mass destruction and ballistic missile programs. These activities are also a means for North Korea to bypass U.S. and United Nations sanctions.

A 2020 military report revealed that North Korea’s cyber warfare program has expanded from its beginnings in the mid-1990s into a 6,000-member unit, known as Bureau 121. This unit operates in several countries, including China, Russia, India, Malaysia, and Belarus.

ETH Address Tied to Lazarus Group and the Details of the Hack

The Office of Foreign Assets Control (OFAC) recently added a new Ethereum address to the SDN list, linked to the Lazarus group. This address is also tied to the Ronin hack in March, which involved the theft of ETH and USDC tokens. Ronin acted as a bridge for transferring ERC-20 tokens between the Ethereum blockchain and Ronin, facilitating transactions for Axie Infinity players.

On March 29, the Ronin network was hacked, leading to the theft of 173,600 ETH and 25.5 million USDC tokens. The developers of Ronin, Sky Mavis, revealed that the hackers exploited a security vulnerability. Previously, Ronin had relied on the Ethereum blockchain, which was slow and expensive for transactions. To address this, Sky Mavis developed Ronin as a sidechain to Ethereum, enabling faster, more affordable, and less secure transactions.

Sky Mavis confirmed that the FBI has attributed the Ronin validator attack to the Lazarus group. The Treasury also sanctioned the address that received the stolen funds.

What’s Next for the North Korean Hackers?

According to blockchain analysis firm Chainalysis, the North Korean hackers are responsible for over $400 million in digital currency thefts across at least seven crypto platforms in 2021. That year was one of the most successful for cybercrime operations tied to North Korea.

CryptoChipy has learned that the U.S. is pushing for the United Nations to blacklist and freeze the assets of the Lazarus group.