Cryptocurrency analytics firm Chainalysis said on Thursday that it helped the US government seize $30 million worth of digital coins that North Korean-backed hackers stole earlier this year from the developer of the non-fungible token-based game Axie Infinite.
When accounting for the more than 50 percent fall in cryptocurrency prices since the theft occurred in March, the seizure represents only about 12 percent of the total funds stolen. The people who pulled off the heist transferred 173,600 ethereum worth about $594 million at the time and $25.5 million in USDC stablecoin, making it one of the biggest cryptocurrency thefts ever.
Harder to hide
The seizures “demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” Erin Plante, senior director of investigations at Chainalysis, wrote. “We have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers.”
The FBI attributed the theft to Lazarus, the name used to track a hacking group backed by and working on behalf of the North Korean government. According to Axie Infinity developer Sky Mavis, the hackers pulled off the transfers after gaining access to five of nine private keys held by transaction validators for the Ronin Networks cross-bridge, a dedicated blockchain for the game.
The hackers then initiated an elaborate laundering process that involved transferring funds to more than 12,000 different currency addresses in an attempt to obfuscate the stolen coins’ movement.
In Thursday’s post, Plante wrote:
North Korea’s typical DeFi laundering technique has roughly five stages:
- Stolen Ether sent to intermediary wallets
- Ether mixed in batches using Tornado Cash
- Ether swapped for bitcoin
- Bitcoin mixed in batches
- Bitcoin deposited to crypto-to-fiat services for cashout
Last month, the US Treasury Department sanctioned the virtual currency mixer Tornado Cash after finding it has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. $455 million of that sum was connected to the heist against Axie Infinity.
Since then, Lazarus Group has moved away from the popular Ethereum mixer, instead leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction. Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds. With Chainalysis tools these cross chain funds movements are easily traced.
We can use Chainalysis Storyline to see an example of how Lazarus Group utilized chain-hopping to launder some of the funds stolen from Axie Infinity:
Above, we see that the hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain. Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based laundering we covered above.
On Twitter, Ronin Networks said, “It will take some time for these funds to be returned to the Treasury.” Plante said that much of the stolen funds remains in wallets under the hackers’ control. “We look forward to continuing to work with the cryptocurrency ecosystem to prevent them and other illicit actors from cashing out their funds.”
Blockchain analysis keeps getting better. Expect more seizures to come.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.