• US Treasury department alleges that North Korea-based Lazarus Group is behind the theft
  • Ronin is still in the process of recovering funds, it said

The Office of Foreign Assets Control has sanctioned Lazarus Group, the North Korea-based hacker the US Department of the Treasury claims is responsible for the $625 million Ronin Bridge hack in March. 

On Thursday, the Treasury department announced that the ethereum address, which wallet profiler Nansen has labeled “Ronin Bridge Exploiter,” allegedly behind the hack was added to the Specially Designated Nationals And Blocked Persons List (SDN). 

Ronin Network, an Ethereum-linked sidechain used for blockchain gaming group Axie Infinity, was breached in late March for roughly $600 million, or 173,600 ether, and $25.5 million USDC. 

At time of publication, the wallet address holds $445.3 million, according to Etherscan. The hackers have been moving funds around since the breach occurred, data shows. 

The exploiter used hacked private keys to forge withdrawals on March 23, according to a statement from Ronin at the time. The breach was discovered nearly a week after the hack when a user was unable to withdraw 5,000 ETH.

The hackers tried to sell about 6,500 stolen ETH in March, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC was transferred out to various wallets and DeFi protocols, Etherscan data shows.

Earlier this month, Sky Mavis, the company behind the Ronin Network bridge, announced it had raised $150 million to help reimburse affected users. And in a blog post, Axie Infinity admitted it had “made some trade-offs” that enabled the hack to take place. 

Data shows that more than 3,000 ETH, or about $9.9 million, was moved from the wallet Wednesday into another address that then transferred the ETH in increments of 100 to several different wallets. 

“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” representatives from Ronin wrote in a community update post on Thursday. “Expect the bridge to be deployed by end of month.”


Attend DAS:LONDON and hear how the largest TradFi and crypto institutions see the future of crypto’s institutional adoption. Register here.


  • Blockworks
    Senior Reporter
    Casey Wagner is a New York-based business journalist covering regulation, legislation, digital asset investment firms, market structure, central banks and governments, and CBDCs. Prior to joining Blockworks, she reported on markets at Bloomberg News. She graduated from the University of Virginia with a degree in Media Studies. Contact Casey via email at [email protected]