North Korean Hackers Responsible for Last Month’s Ronin Theft, FBI Confirms

Hacker collectives Lazarus Group and APT38 ar responsible for the theft, the FBI said


Blockworks Exclusive art by axel rangel


key takeaways

  • The Lazarus Group and APT38 have been named as those responsible for the theft
  • Exploiters used hacked private keys to forge withdrawals on March 23, Ronin said

The US Federal Bureau of Investigation has placed “cyber actors” from North Korea at the heart of last month’s $625 million hack on the Ethereum-linked sidechain Ronin Network.

Through an investigation, the agency said it was able to “confirm” hacker collectives Lazarus Group and APT38 are responsible for the theft of hundreds of millions of dollars in crypto, a Thursday statement reads.

Exploiters, according to Ronin, used hacked private keys to forge withdrawals on March 23. The breach wasn’t discovered until several days later, when a user was unable to withdraw 5,000 ETH.

State-sponsored Lazarus has been accused of multiple digital asset-based hacks, including a year-long endeavor beginning in 2017 in which the group reportedly managed to siphon off $571 million.

The Treasury Department last week sanctioned the hacking collective and the Ethereum address allegedly behind the theft.

As part of its efforts to combat blockchain-related crime, the FBI established a new unit last month led by Eun Young Choi, a former senior counsel to the deputy attorney general.

The group, along with APT38, operates at the behest of the Democratic People’s Republic of Korea (DPRK) under dictator Kim Jong Un. The isolated northern nation on the Korean Peninsula is strangled by economic sanctions and threatened by military encirclement from Western allies over its continued use of nuclear arms.

Cryptocurrency is viewed by some experts as a means to circumvent capital controls and economic sanctions, as well as to hide the wealth of North Korea’s political elite. It has also been speculated it is one of several mechanisms that fund Kim’s heavily sanctioned regime.

“The FBI…will continue to expose and combat the DPRK’s use of illicit activities – including cybercrime and cryptocurrency theft,” the statement said.

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

MON - WED, MARCH 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience:  Attend expert-led panel discussions and fireside chats  Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts   Grow your network […]

recent research

Pyth Cover.jpg


Pyth is a low latency pull-based oracle. In a future that looks increasingly high frequency, with various alt L1s and L2s that have significantly shorter block times than Ethereum, and an explosion of “high-frequency” protocols such as oracle or CLOB perp DEXs, Pyth’s low latency oracle product looks much better positioned to capture a significant amount of market share in comparison to competitors.


It’s unclear what “actions” the CFTC, DOJ and Treasury will announce Tuesday afternoon


Some 18,000 accounts have already sent $27 million in crypto to a one-way bridge controlled by a Blast multisig


Telegram bots have seen a cumulative trading volume of over $4 billion


Avalanche has been inundated with transactions for inscriptions, similar to the Ordinals that already hit Bitcoin, Litecoin and Dogecoin


Like much of the tech world, crypto’s use of ChatGPT has been growing. Despite founder Sam Altman’s ouster, decentralized AI projects don’t seem ready to replace it


The allegations came in a new lawsuit filed by the US securities regulator on Monday