[BreachExchange] US Officials Tie North Korea’s ‘Lazarus’ Hackers to $625M Crypto Theft

Fri Apr 15 08:27:14 EDT 2022

https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit/

The U.S. Treasury Department alleged that North Korean hacking group
Lazarus is tied to a more than $600 million theft of cryptocurrency from
the Axie Infinity-linked Ronin bridge.

The Treasury Department added an Ethereum address to its sanctions list on
Thursday. Wallet profiler Nansen had labeled the sanctioned address as a
“Ronin Bridge Exploiter” when checked by CoinDesk Thursday. It held 148,000
ETH at publication time. CoinDesk independently confirmed that the wallet
is tied to the Ronin exploit.

Crypto analytics firm Chainalysis tweeted that the address “was involved in
the Ronin hack.” Tracing firm Elliptic estimated that 14% of the stolen
funds had already been laundered by Thursday.

Ronin Network said in a blog post that the FBI had linked Lazarus with the
validator breach and that the Treasury Department sanctioned the funds.

“We are still in the process of adding additional security measures before
redeploying the Ronin Bridge to mitigate future risk,” the blog said,
targeting deployment before month’s end and promising a full post-mortem at
a later date.

Ronin – a sidechain that is connected to the main Ethereum blockchain but
allows the developers behind play-to-earn game Axie Infinity, Sky Mavis, to
support faster and cheaper transactions – was hacked last month, losing
173,600 ETH and 25.5 million USDC, worth $625 million at the time. It ranks
among the largest exploits in crypto history.

Thursday’s action is the first time the Treasury's sanctions office has
blacklisted an alleged Lazarus-held crypto wallet, a source in the tracing
industry told CoinDesk.

A Treasury Department spokesperson said the department had worked with the
FBI to investigate the Lazarus Group and Advance Persistent Threat 38
(another North Korean entity believed to use malicious programming to steal
funds).

"Identification of the wallet will make clear to other VC actors, that by
transacting with it, they risk exposure to US sanctions. This demonstrates
Treasury’s commitment to use all available authorities to disrupt malicious
cyber actors and block ill-gotten criminal proceeds," the spokesperson
said. "There may be mandatory secondary sanctions requirements on persons
who knowingly, directly or indirectly, engage in money laundering, the
counterfeiting of goods or currency, bulk cash smuggling, or narcotics
trafficking that supports the Government of North Korea or any senior
official or person acting for or on behalf of that Government."

The spokesperson said anti-money laundering and countering the financing of
terrorists were "critical" chokepoints in preventing money laundering with
stolen funds, and called on the crypto industry to implement these types of
safeguards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220415/e677a3b8/attachment.html>