The infamous North Korean state-sponsored hacking group Lazarus has been linked to the hack of the Ronin Network, the blockchain underlying the popular Axie Infinity game, that resulted in the theft of $615 million in cryptocurrency in March.
The link was discovered following an updated sanctions list published today by the U.S. Treasury Department’s Office of Foreign Asset Control. In the updated filing for the Lazarus Group, OFAC added an Ethereum wallet address linked to the group. As it turns out, the same wallet address was used by those behind the Ronin Network hack.
Crypto analytics firm Chainalysis was first to make the link, tweeting that the update confirms that the Lazarus Group was behind the Ronin Network hack. The Ronin Network later confirmed that the Federal Bureau of Investigation had attributed the Ronin validator security breach to the Lazarus Group.
At the time the hack took place, the largest in the decentralized-finance history, it wasn’t clear if some of the funds could be recovered. With the previous highest DeFi theft from the Poly Network in August, the person behind the compromise came forward and said the motivation for the hack was “for fun” and that the funds were stolen to keep them safe. The hacker, going by the name of “Etherhood,” returned the stolen funds.
Now that Lazarus is known to be behind the attack, the chance of recovering any of the stolen funds is slim at best. However, Axie Infinity players will be refunded at least some of the stolen funds after developer Sky Mavis raised $150 million on April 6 to reimburse them.
The Lazarus Group has a long track record of hacking targets in the West. The gang was in the news in December when it was reportedly targeting Linux systems alongside Windows. The group is known for allegedly being behind the spread of the WannaCry ransomware in 2017
“North Korea has been unique in that they have APT groups focused on stealing cryptocurrency,” John Bambenek, principal threat hunter at digital IT and security operations company Netenrich Inc., told SiliconANGLE. “As North Korea is highly-sanctioned, cryptocurrency thefts are also a national security interest for them. Sanctioning the wallet probably won’t help too much as there are exchanges that don’t respect the OFAC list.”
Hank Schless, senior manager, security solutions at endpoint-to-cloud security firm Lookout Inc., noted that since cryptocurrency is still a relatively new technology, it presents an opportunity for threat actors to engage in social engineering against targets.
“Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value,” Schless explained. “Attackers can use this thirst for information to get users to download malicious apps or share login credentials for legitimate trading platforms they use. The attacker could then use the malicious app to exfiltrate additional data from the device it’s on or take the login credentials they’ve stolen and try them across any number of cloud apps used for both work and personal life.”