The Ronin attackers’ Ethereum wallet address is now on the US Treasury Department’s sanctions list, confirming their link to notorious cybercriminal group Lazarus.
The Lazarus group strikes again
The US Treasury Department has added the Ethereum wallet address of the Ronin attackers to its sanctions list, linking it to cybercrime group Lazarus.
North Korean hacking group Lazarus is believed to be responsible for hacking the $622 million Ronin network. This Ethereum sidechain is primarily used in the crypto game Axie Infinity.
Wallet address as proof
The US Treasury Department today took another step against the Lazarus Group. The ministry announced that it has added a new Ethereum wallet address to the list of sanctions against the cyber espionage group.
This is the same wallet address used in the attack on Axie Infinity creator Sky Mavis. An Ethereum wallet address mimicking the term “Ronin Bridge Exploiter” was found on Etherscan.
Sky Mavis first reported that the wallet address listed by the US Treasury Department today was the same one used in a Monero miner worm attack earlier this month. However, Sky has since acknowledged a connection in an update to its original Ronin exploit post.
The FBI has classified the Lazarus Group as a state-sponsored hacking organization whose first attacks date back to 2009. Lazarus is believed to be responsible for the 2017 WannaCry ransomware attack, the 2014 Sony Pictures attack, and a series of attacks on pharmaceutical companies in 2020. Blockchain expert Elliptic’s blog says:
Unsurprisingly, this attack is attributed to North Korea. […] Many characteristics of the attack mirror the method used by the Lazarus group in previous high-profile attacks, including victim location, attack method (considered social engineering), and laundering pattern money used by the group after the incident.
Approximately $622 million stolen
On March 23, five of the nine Ronin validating nodes were hacked using private keys stolen from cryptocurrency wallets. Hackers were able to approve fraudulent money transfers on the network.
The hacker stole 173,600 wrapped Ethereum and 25.5 million stablecoins for a total of around $622 million when the hack was discovered and announced on March 29. In terms of asset value at the time of the attack, this is the second largest DeFi hack to date.
Compensation for victims?
Over the past two weeks, cryptocurrency exchange Sky Mavis announced a $150 million funding round led by Binance to compensate users affected by a recent hack attempt.
Sky Mavis will tap into its own balance sheet to ensure users can withdraw their funds. Still, the platform hopes to recover the stolen funds within the next two years.
18% of stolen funds have been laundered to date. It does this by sending it to various crypto exchanges and using a service like Tornado Cash which makes transactions difficult to trace. The wallet still contains 147,753 Ethereum, with a current value of $444 million.