Treasury Sanctions North Korean Hacker Group, Confirms Ties to $625M Theft
Hackers stole $625 million last month from the Ronin Network, a sidechain used for play-to-earn game Axie Infinity
Blockworks Exclusive art by axel rangel
key takeaways
- US Treasury department alleges that North Korea-based Lazarus Group is behind the theft
- Ronin is still in the process of recovering funds, it said
The Office of Foreign Assets Control has sanctioned Lazarus Group, the North Korea-based hacker the US Department of the Treasury claims is responsible for the $625 million Ronin Bridge hack in March.
On Thursday, the Treasury department announced that the ethereum address, which wallet profiler Nansen has labeled “Ronin Bridge Exploiter,” allegedly behind the hack was added to the Specially Designated Nationals And Blocked Persons List (SDN).
Ronin Network, an Ethereum-linked sidechain used for blockchain gaming group Axie Infinity, was breached in late March for roughly $600 million, or 173,600 ether, and $25.5 million USDC.
At time of publication, the wallet address holds $445.3 million, according to Etherscan. The hackers have been moving funds around since the breach occurred, data shows.
The exploiter used hacked private keys to forge withdrawals on March 23, according to a statement from Ronin at the time. The breach was discovered nearly a week after the hack when a user was unable to withdraw 5,000 ETH.
The hackers tried to sell about 6,500 stolen ETH in March, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC was transferred out to various wallets and DeFi protocols, Etherscan data shows.
Earlier this month, Sky Mavis, the company behind the Ronin Network bridge, announced it had raised $150 million to help reimburse affected users. And in a blog post, Axie Infinity admitted it had “made some trade-offs” that enabled the hack to take place.
Data shows that more than 3,000 ETH, or about $9.9 million, was moved from the wallet Wednesday into another address that then transferred the ETH in increments of 100 to several different wallets.
“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” representatives from Ronin wrote in a community update post on Thursday. “Expect the bridge to be deployed by end of month.”
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.
