North Korean hacking group Lazarus recently had its plans foiled when it tried to launder $30 million taken from March’s breach of the Ronin Network.
On Thursday, blockchain tracking firm Chainalysis announced it had worked with law enforcement to recover the stolen cryptocurrency.
“This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last,” Chainalysis claims. (Cryptocurrency exchange Binance said it recovered $5.8 million of the stolen funds in April.)
In March, the North Korean hackers stole 173,600 in ether—now valued at nearly $300 million— along with 25.5 million USD Coin, from Ronin Network, an Ethereum-linked blockchain that’s being used to power a Pokémon-style game called Axie Infinity.
The hackers pulled off the heist by phishing a software engineer at Axie Infinity with a fake job ad, according to The Block. Since then, Chainalysis has been working with law enforcement to track down the stolen funds before the North Korean hackers can cash out the cryptocurrency.
The hackers were originally using a cryptocurrency-mixing service known as Tornado Cash to anonymize and launder the stolen funds with the help of 12,000 cryptocurrency wallet addresses. But in August, the US Treasury Department sanctioned Tornado Cash for allegedly helping the Lazarus group launder $455 million in stolen cryptocurrency.
The sanctions have caused the North Korean hackers to avoid Tornado Cash. Instead, they’ve been using decentralized finance (DeFi) platforms that can act as bridges between different blockchains to launder the funds. These same platforms can pave the way for the North Korean hackers to “switch between several different kinds of cryptocurrencies in a single transaction,” according to Chainalysis.
“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds,” the company said.
The North Korean hackers have been carrying out “hundreds of similar transactions across several blockchains” to launder the funds stolen from Ronin Network. However, Chainalysis says it was still able to track the movement of the stolen cryptocurrency, which helped law enforcement freeze $30 million of the funds.
That said, Chainalysis noted law enforcement has only recovered 10% of the total stolen cryptocurrency from the Ronin Network hack. However, the company said “much of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers’ control.”
"These hack investigations are a long road to recovery with funds being recovered over the course of many years," Chainalysis tells PCMag. "This $30M represents excellent progress only a few months in and we expect more successful seizures."
The company plans to continue to watch the funds in the hopes of one day seizing it. In the meantime, North Korean hackers will no doubt remain busy trying to loot funds from other cryptocurrency projects. “We estimate that so far in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from DeFi (decentralized finance) protocols," Chainalysis added.