More than $30 million seized from North Korean hackers involved in Axie crypto-theft
Image: Sky Mavis
Jonathan Greig September 8, 2022

More than $30 million seized from North Korean hackers involved in Axie crypto-theft

More than $30 million seized from North Korean hackers involved in Axie crypto-theft

More than $30 million worth of cryptocurrency allegedly stolen by hackers connected to the North Korean government has been seized by law enforcement agencies, according to a report from blockchain research company Chainalysis.

The funds were originally part of the more than $600 million stolen from popular decentralized finance (DeFi) platform Ronin Network in March. The Ronin Network underpins Axie Infinity, a play-to-earn blockchain game that is massively popular across the Philippines, Vietnam and several other Asian countries.

In April, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) attributed the hack — one of the largest DeFi thefts ever — to the notorious North Korea hacking group known as Lazarus.

The group has slowly siphoned off about 3,000 ETH — more than $9 million — every two to three days from the amount that was initially stolen, according to blockchain researchers at PeckShield. The funds were repeatedly sent to Tornado Cash, a cryptocurrency mixer that allows people to hide the origin of funds.

On Thursday, Chainalysis senior director of investigations Erin Plante said she joined developers behind the game at a conference to announce that tens of millions of dollars had been seized from the North Korean hackers with the help of law enforcement and leading organizations in the cryptocurrency industry.

The company did not respond to requests for comment about what agencies were involved in the seizure, why only $30 million was seized and when the seizure occurred.

But in a blog post, Plante said the seizure “marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized.”

“We’re confident it won’t be the last,” Plante added. 

Covering the tracks

The hackers used Tornado Cash to mix the stolen ether with other cryptocurrency and turned it all into Bitcoin, which was laundered a second time before it was converted fiat.

OFAC blacklisted Tornado Cash one month ago for its role in helping the hackers launder the stolen funds from Axie. One of the developers behind the service was arrested by Dutch authorities three weeks ago.

Plante said once they could no longer use the mixer service, North Korea’s Lazarus Group began leveraging several DeFi services to “chain hop” — a process she described as when hackers switch between several different kinds of cryptocurrencies in a single transaction.

“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate,” Plante explained. “Lazarus appears to be using bridges in an attempt to obscure source of funds.”

The hackers allegedly “carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based laundering.”

Plante noted that a significant portion of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers’ control. 

In April, Binance CEO Changpeng Zhao said the cryptocurrency platform froze $5.8 million in funds from the Ronin Network theft.

North Korea and fund seizures

The U.S. government and several research organizations have repeatedly pointed the finger at Lazarus Group as the biggest culprit behind a spate of attacks on DeFi protocols over the last two years. 

Plante said Chainalysis estimates show that in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from DeFi protocols.

Juliane Gallina, associate deputy director within the CIA’s directorate of digital innovation, told an audience at the Billington Cybersecurity conference on Thursday that North Korea spends an estimated $700 million on its nuclear weapons program, almost all of which is covered through their cryptocurrency hacks. 

Seizing cryptocurrency stolen during attacks or paid in ransoms following ransomware attacks is a tactic the U.S. government has quietly been using more frequently to help victims. 

The Justice Department made waves last year when it announced that it recovered the vast majority of the $4.3 million that Colonial Pipeline paid to a ransomware gang. 

In July, Deputy Attorney General Lisa Monaco said the Justice Department seized and returned about $500,000 paid to a ransomware group connected to the North Korean government after two attacks on U.S. healthcare facilities last year.

Adam Hickey, deputy assistant attorney general at the Justice Department touted the government’s work in learning to “recapture the fruits of the crime wherever we can.”

“When victims come to us in the early stages of a ransomware attack and share information with us about what wallet they sent a ransom to, that can enable us potentially to recoup that ransom down the line as we did in the case of Colonial Pipeline and money stolen from cryptocurrency exchanges, as we’ve done in some recent instances,” Hickey said at the Billington conference. 

“Getting the money back is now part of what we can do.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.