US Officials Tie North Korea’s ‘Lazarus’ Hackers to $625M Crypto Theft

Axie Infinity’s Ronin blockchain suffered a massive exploit late last month.

Apr 14, 2022 at 4:44 p.m. UTC
Updated Apr 18, 2022 at 4:17 p.m. UTC

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

The U.S. Treasury Department alleged that North Korean hacking group Lazarus is tied to a more than $600 million theft of cryptocurrency from the Axie Infinity-linked Ronin bridge.

The Treasury Department added an Ethereum address to its sanctions list on Thursday. Wallet profiler Nansen had labeled the sanctioned address as a “Ronin Bridge Exploiter” when checked by CoinDesk Thursday. It held 148,000 ETH at publication time. CoinDesk independently confirmed that the wallet is tied to the Ronin exploit.

Crypto analytics firm Chainalysis tweeted that the address “was involved in the Ronin hack.” Tracing firm Elliptic estimated that 14% of the stolen funds had already been laundered by Thursday.

Ronin Network said in a blog post that the FBI had linked Lazarus with the validator breach and that the Treasury Department sanctioned the funds.

“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” the blog said, targeting deployment before month’s end and promising a full post-mortem at a later date.

Ronin – a sidechain that is connected to the main Ethereum blockchain but allows the developers behind play-to-earn game Axie Infinity, Sky Mavis, to support faster and cheaper transactions – was hacked last month, losing 173,600 ETH and 25.5 million USDC, worth $625 million at the time. It ranks among the largest exploits in crypto history.

Thursday’s action is the first time the Treasury's sanctions office has blacklisted an alleged Lazarus-held crypto wallet, a source in the tracing industry told CoinDesk.

A Treasury Department spokesperson said the department had worked with the FBI to investigate the Lazarus Group and Advance Persistent Threat 38 (another North Korean entity believed to use malicious programming to steal funds).

"Identification of the wallet will make clear to other VC actors, that by transacting with it, they risk exposure to US sanctions. This demonstrates Treasury’s commitment to use all available authorities to disrupt malicious cyber actors and block ill-gotten criminal proceeds," the spokesperson said. "There may be mandatory secondary sanctions requirements on persons who knowingly, directly or indirectly, engage in money laundering, the counterfeiting of goods or currency, bulk cash smuggling, or narcotics trafficking that supports the Government of North Korea or any senior official or person acting for or on behalf of that Government."

The spokesperson said anti-money laundering and countering the financing of terrorists were "critical" chokepoints in preventing money laundering with stolen funds, and called on the crypto industry to implement these types of safeguards.

UPDATE (April 14, 17:19 UTC): Adds information from Ronin blog post.

UPDATE (April 14, 17:25 UTC): Adds laundering estimate from Elliptic.

UPDATE (April 14, 21:45 UTC): Adds statement from U.S. Treasury Department.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

CoinDesk - Unknown

Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

Trending

1
CoinDesk - Unknown
After the Terra Meltdown: What's Next for Stablecoins?

The largest token collapse in crypto history. So let Luna die.

The largest token collapse in crypto history. So let Luna die.

CoinDesk - Unknown
2
CoinDesk - Unknown
5 Key Takeaways From a16z's State of Crypto Report

The venture firm is extremely bullish on Web 3.

The venture firm is extremely bullish on Web 3.

CoinDesk - Unknown
3
CoinDesk - Unknown
Regulators Are Paying Attention to UST

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

CoinDesk - Unknown
4
CoinDesk - Unknown
San Francisco NFL Player Alex Barrett Taking His Salary in Bitcoin

The most valuable crypto stories for Thursday, May 20, 2022.

The most valuable crypto stories for Thursday, May 20, 2022.

CoinDesk - Unknown