U.S. Sanctions Lazarus Group’s Wallets Following $620M Heist from Ronin Network


North Korean cybercriminal syndicate Lazarus Group was behind the Ronin Network hack. The state-sponsored APT group leverages social engineering and trojanized malware to infiltrate, infect, and siphon off hundreds of millions in cryptocurrency.

The U.S. Department of Treasury and the Office of Foreign Assets Control (OFAC) confirmed that Lazarus was behind one of the largest cryptocurrency heists in recent times.

According to the agencies, the Lazarus Group stole approximately $620 million from the cryptocurrency network that supports the popular online game Axie Infinity. Consequently, the treasury department also added a linked Ethereum wallet address that received these stolen funds to the list of those sanctioned by the federal agency.

The address is now a part of the Specially Designated Nationals And Blocked Persons listOpens a new window (SDN). “Through our investigation, we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI saidOpens a new window .

The Ronin Network and the cross-chain bridge specifically enable cryptocurrency transfers from one network to another. In total, the Lazarus Group, also known as APT38, BlueNoroff, and Stardust Chollima, managed to steal 173,600 Ether along with $25.5 million Coins from the Ronin Bridge smart contract.

Infiltration from North Korea, especially across the crypto infrastructure, is not new. Blockchain analytics company Chainalysis said in 2021, at least $400 million of digital assets were siphoned in attacks that targeted investment firms and centralized exchanges, which are then laundered for legitimacy.

Source: ChainalysisOpens a new window

See More: Why Distributed Ledger Technology Is the Next Battleground for Hackers

“The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime,” the federal agency said.

Chainalysis also noted an increasing interest in targeting mainly Ether, the most actively targeted cryptocurrency by North Korean advanced persistent threat groups such as Lazarus. Correspondingly, the company observed a decline in the amount of Bitcoin being stolen.

The Ronin Network is currently offline, while Sky Mavis, the Vietnam-based tech-focused game studio, reinforces its security. According to the Ronin Network, it will be redeployed by the end of April, possibly with 21 validator nodes instead of the previous nine (five of these were hacked by Lazarus, which led to the crypto heist).

Last month, the Ronin Network said that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The Cybersecurity and Infrastructure Security Agency (CISA) also confirmedOpens a new window the prevalence and cautioned against social engineering attacks conducted by North Korean APTs.

It involves “social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems,” CISA said.

“The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.” For example, the Lazarus Group used the AppleJeus malware to steal cryptocurrency.

CISA said targets include blockchain technology and the cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).

But that has not always been the case. Lazarus’ original targets were mainly South Korean or other Asian centralized exchanges. This changed in 2021 when the group’s attention shifted to DeFi platforms.

Lazarus is believed to be associated with or supported by the North Korean state, with stolen funds allegedly being used to fund the regime’s nuclear and ballistic missile programs. Symantec saidOpens a new window Lazarus has also reignited Operation Dream Job and is engaging in a cyber espionage campaign targeting South Korean organizations in the chemical sector.

As of April 14, the Lazarus Group has laundered almost $100 million of the $620 million. But going forward, the sanctions mean it won’t be easy to launder the rest considering all U.S. entities and individuals are now prohibited from transacting with the banned addresses. The U.S. government has announcedOpens a new window a reward of up to $5 million for any information that can help bust North Korean cybercriminal operations.

Chainalysis said $1.3 billionOpens a new window worth of cryptocurrency had been stolen in the first three months of 2022, 40.6% of the total $3.2 billion in digital assets stolen in all of 2021.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!