Binance freezes stolen Axie Infinity crypto after North Korean hackers move funds

Binance CEO Changpeng Zhao said the cryptocurrency platform has frozen $5.8 million in funds that were stolen from popular DeFi platform Ronin Network by cybercriminals connected to the North Korean government. 

The US Treasury also expanded its sanctions against the group to include new addresses being used to launder the money.

More than $540 million worth of Ethereum and US dollar-pegged stablecoin USDC was stolen on March 29 from Ronin Network, which underpins the Axie Infinity game. 

In a tweet on Friday, Zhao said, “the DPRK hacking group started to move their Axie Infinity stolen funds today.” 

“Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered. We done this many times for other projects in the past too,” Zhao explained. 

The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered. We done this many times for other projects in the past too. Stay #SAFU.

— CZ Binance (@cz_binance) April 22, 2022

Last week, the US Treasury’s Office of Foreign Assets Control (OFAC) attributed the hack – one of the largest decentralized finance (DeFi) thefts ever – to notorious North Korean APT group Lazarus.

Over the past two weeks, the group has slowly siphoned off about 3,000 ETH – more than $9 million – every two to three days from the amount that was initially stolen, according to blockchain researchers at PeckShield. 

The funds have repeatedly been sent to Tornado Cash, a cryptocurrency mixer that allows people to hide the origin of funds. As of April 9, PeckShield said the hackers had laundered about 7.5% of the stolen funds and still had around 159,710 ETH – or $512 million – in the wallet. 

By April 14, blockchain analysis firm Elliptic said the hackers had laundered about 18% of their stolen funds. 

OFAC issued sanctions last week against the addresses connected to the theft, hoping that would stop the hackers from being able to launder the money. But on Friday, the group transferred 300 ETH to a new address, according to PeckShield. 

#PeckShieldAlert @Ronin_Network exploiters already transferred ～300 $ETH into @TornadoCash through this new address. It seems like hackers find a way to bypass Sanctions Oracle by transferring to new addresses before labeled as an address that included in a sanctions designation https://t.co/AruBGq89d9 pic.twitter.com/Bg7eIq6uGH

— PeckShieldAlert (@PeckShieldAlert) April 22, 2022

Chainalysis, a company that tracks illegal blockchain transactions, noted that in addition to Binance’s actions, the OFAC added three additional ETH addresses to the Lazarus Group SDN list entry. 

Chainalysis said in a January report that hackers working for the North Korean government are believed to have stolen almost $400 million worth of cryptocurrency from seven hacked companies throughout 2021.

Chainalysis attributed all these attacks to the Lazarus Group, a generic term that is often used to describe multiple North Korean threat actors.

Elliptic added that there has been an increase in North Korean missile tests in recent months, noting that many experts believe the country funds its weapons programs through its DeFi hacks. 

“There is still work to be done to disrupt troubling trends in crypto hacking. The abuse of DeFi and DPRK’s role has both consumer protection and national security implications,” Chainalysis said.