Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

The U.S. Treasury Department has implicated the North
Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540
million from video game Axie Infinity’s Ronin Network last
month.

On Thursday, the Treasury tied^[1]
the Ethereum wallet address^[2]
that received the stolen funds to the threat actor and sanctioned
the funds by adding the address to the Office of Foreign Assets
Control’s (OFAC) Specially Designated Nationals (SDN^[3]) List.

“The FBI, in coordination with Treasury and other U.S.
government partners, will continue to expose and combat the DPRK’s
use of illicit activities – including cybercrime and cryptocurrency
theft – to generate revenue for the regime,” the intelligence and
law enforcement agency said^[4]
in a statement.

The cryptocurrency heist, the second-largest^[5]
cryptocurrency theft^[6]
to date, involved the siphoning of 173,600 Ether (ETH) and 25.5
million USD Coins from the Ronin cross-chain bridge, which allows
users to transfer their digital assets from one crypto network to
another, on March 23, 2022.

“The attacker used hacked private keys in order to forge fake
withdrawals,” the Ronin Network explained^[7]
in its disclosure report a week later after the incident came to
light.

The sanctions prohibit U.S. individuals and entities from
transacting with the address in question to ensure that the
state-sponsored group can’t cash out any further funds. An analysis
by Elliptic has found that the actor has managed to launder 18% of
the siphoned digital funds (about $97 million) as of April 14.

“First, the stolen USDC was swapped for ETH through
decentralized exchanges (DEXs) to prevent it from being seized,”
Elliptic noted^[8]. “By converting the
tokens at DEXs, the hacker avoided the anti-money laundering (AML)
and ‘know your customer’ (KYC) checks performed at centralized
exchanges.”

Nearly $80.3 million of the laundered funds have involved the
use of Tornado Cash, a mixing service on the Ethereum blockchain
designed to obscure the trail of funds, with another $9.7 million
worth of ETH likely to be laundered in the same manner.

Lazarus Group, an umbrella name^[9]
assigned to prolific state-sponsored actors operating on behalf of
North Korean strategic interests, has a track record of conducting
cryptocurrency thefts since at least 2017 to bypass sanctions and
fund the country’s nuclear and ballistic missile programs.

“The country’s espionage operations are believed to be
reflective of the regime’s immediate concerns and priorities, which
is likely currently focused on acquiring financial resources
through crypto heists, targeting of media, news, and political
entities, [and] information on foreign relations and nuclear
information,” Mandiant pointed out in a recent deep dive.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has painted^[10] the cyber actors as an
increasingly sophisticated group that has developed and deployed a
wide range of malware tools around the world to facilitate these
activities.

The group is known to have plundered^[11] an estimated $400
million worth of digital assets from crypto platforms in 2021,
marking a 40% jump from 2020, according to Chainalysis, which found
“only 20% of the stolen funds were Bitcoin, [and that] Ether
accounted for a majority of the funds stolen at 58%.”

Despite sanctions^[12] imposed by the U.S.
government on the hacking collective, recent campaigns undertaken
by the group have capitalized^[13] on trojanized
decentralized finance (DeFi) wallet apps to backdoor Windows
systems and misappropriate funds from unsuspecting users.

That’s not all. In another cyber offensive disclosed by Broadcom
Symantec this week, the actor has been observed^[14] targeting South Korean
organizations operating within the chemical sector in what appears
to be a continuation of a malware campaign dubbed “Operation Dream Job^[15],” corroborating
findings from Google’s Threat Analysis Group in March 2022.

The intrusions, detected earlier this January, commenced with a
suspicious HTM file received either as a link in a phishing email
or downloaded from the internet that, when opened, triggers an
infection sequence, ultimately leading to the retrieval of a
second-stage payload from a remote server to facilitate further
incursions.

The goal of the attacks, Symantec assessed, is to “obtain
intellectual property to further North Korea’s own pursuits in this
area.”

The continuous onslaught of illicit activities perpetrated by
the Lazarus Group has also led the U.S. State Department to
announce^[16] a $5 million reward for
“information that leads to the disruption of financial mechanisms
of persons engaged in certain activities that support North
Korea.”

The development comes days after a U.S. court in New York
sentenced^[17] Virgil Griffith, a
39-year-old former Ethereum developer, to five years and three
months in prison for helping North Korea use virtual currencies to
evade sanctions.

To make matters worse, malicious actors have pilfered $1.3
billion worth of cryptocurrency in the first three months of 2022
alone, in comparison to $3.2 billion that was looted for the
entirety of 2021, indicating a “meteoric rise” in thefts from
crypto platforms.

“Almost 97% of all cryptocurrency stolen in the first three
months of 2022 has been taken from DeFi protocols, up from 72% in
2021 and just 30% in 2020,” Chainalysis said^[18] in a report published
this week.

“For DeFi protocols in particular, however, the largest thefts
are usually thanks to faulty code. Code exploits and flash loan
attacks — a type of code exploit involving the manipulation of
cryptocurrency prices — has accounted for much of the value stolen
outside of the Ronin attack,” the researchers said.