Feds Reclaim $30 Million in Cryptocurrency Stolen by North Korean Hackers

Cryptocurrency analytics firm Chainalysis said on Thursday it helped the US government seize $30 million in digital coins that North Korea-backed hackers stole from the developer of the non-fungible token-based game earlier this year. Axie Infinite.

When taking into account the more than 50 percent drop in cryptocurrency prices since the theft happened in March, the seizure represents only about 12 percent of the total money stolen. The people who carried out the heist transferred 173,600 ethereum worth about $594 million and $25.5 million in USDC stablecoin at the time, making it one of the largest cryptocurrency thefts ever.

Harder to hide

The repossessions “demonstrate that it is becoming more difficult for bad actors to successfully cash in their ill-gotten crypto profits,” wrote Erin Plante, senior research director at Chainalysis. “We have proven that with the right blockchain analytics tools, world-class researchers and compliance professionals can work together to stop even the most sophisticated hackers and money launderers.”

The FBI attributed the theft to Lazarus, the name used to track down a hacking group backed by and working on behalf of the North Korean government. According to Axie Infinity developer Sky Mavis, the hackers made the transfers after gaining access to five of the nine private keys held by transaction validators for the Ronin Networks cross-bridge, a special blockchain for the game.

The hackers then launched an extensive money laundering process that involved transferring funds to more than 12,000 different currency addresses in an attempt to cover up the movement of the stolen coins.

In Thursday’s post, Plante wrote:

North Korea’s typical DeFi money laundering technique consists of roughly five stages:

1. Stolen Ether sent to intermediate wallets
2. Ether mixed in batches using Tornado Cash
3. Ether exchanged for bitcoin
4. Bitcoin mixed in batches
5. Bitcoin deposited with crypto-to-fiat services for payout

Last month, the US Treasury Department sanctioned virtual currency mixer Tornado Cash after it discovered it had been used to launder more than $7 billion worth of virtual currencies since its inception in 2019. $455 million of that amount was linked to the heist. against Axie Infinity.

Plant continued:

Since then, Lazarus Group has moved away from the popular Ethereum mixer, instead using DeFi services to switch between different types of cryptocurrencies in a single transaction. Bridges serve an important function of moving digital assets between chains and most uses of these platforms are completely legitimate. Lazarus appears to be using bridges in an attempt to cover up the source of funds. Chainalysis tools make these cross-chain fund movements easy to track.

We can use Chainalysis Storyline to see an example of how Lazarus Group used chain-hopping to launder some of the money stolen from Axie Infinity:

Above we see that the hacker bridged ETH from the Ethereum blockchain to the BNB chain and then exchanged that ETH for USDD, which was then bridged to the BitTorrent chain. Lazarus Group conducted hundreds of similar transactions across various blockchains to launder the money they had stolen Axie Infinityin addition to the more conventional Tornado Cash-based money laundering we discussed above.

On Twitter, Ronin Networks said“It will be some time before these funds are returned to the treasury.” Plante said much of the stolen money remains in wallets under the control of the hackers. “We look forward to continuing to work with the cryptocurrency ecosystem to prevent them and other illegal actors from cashing in.”