Feds recover $30 million in cryptocurrency stolen by North Korean hackers

Cryptocurrency analysis firm Chainalysis said on Thursday it helped the US government seize $30 million worth of digital coins that North Korean-backed hackers stole from the game developer earlier this year. based on non-fungible tokens. Axie Infinite.

Taking into account the more than 50% drop in cryptocurrency prices since the theft in March, the seizure represents only about 12% of the total funds stolen. The people who pulled off the heist transferred 173,600 ethereum worth around $594 million at the time and $25.5 million in USDC stablecoins, making it one of the biggest thefts in cryptocurrency ever made.

Harder to hide

The foreclosures “demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” wrote Erin Plante, senior director of investigations at Chainalysis. “We have proven that with the right blockchain analysis tools, world class investigators and compliance professionals can work together to stop even the most sophisticated hackers and launderers.

The FBI attributed the theft to Lazarus, the name used to track down a hacking group backed by and working on behalf of the North Korean government. According Axie Infinity Developer Sky Mavis, the hackers succeeded in the transfers after gaining access to five of the nine private keys held by transaction validators for Ronin Networks’ Cross-Bridge, a blockchain dedicated to gaming.

The hackers then launched an elaborate laundering process that involved transferring funds to over 12,000 addresses in different currencies in an effort to obscure the movement of the stolen coins.

In Thursday’s post, Plante wrote:

North Korea’s typical DeFi laundering technique involves about five steps:

1. Stolen Ether sent to intermediary wallets
2. Ether mixed in batches using Tornado Cash
3. Ether exchanged for bitcoin
4. Batch Mixed Bitcoin
5. Bitcoin deposited on crypto-fiat services for cashing out

Last month, the US Treasury Department sanctioned virtual currency mixer Tornado Cash after discovering it had been used to launder more than $7 billion in virtual currency since its inception in 2019. $455 million of that amount were linked to the robbery against Axie Infinity.

Plante continues:

Since then, Lazarus Group has moved away from the popular Ethereum mixer, instead leveraging DeFi services to chain jumps or switch between multiple types of cryptocurrencies in a single transaction. Bridges serve an important function in moving digital assets between chains and most uses of these platforms are completely legitimate. Lazarus appears to be using bridges in an attempt to obscure the source of the funds. With Chainalysis tools, these cross-chain fund movements are easily traced.

We can use Chainalysis Storyline to see an example of how the Lazarus Group used chain hopping to launder some of the stolen funds from Axie Infinity:

Above we see that the hacker linked ETH from the Ethereum blockchain to the BNB chain and then exchanged this ETH for USDD, which was then linked to the BitTorrent chain. The Lazarus Group performed hundreds of similar transactions across multiple blockchains to launder stolen funds. Axie Infinityin addition to the more conventional Tornado Cash-based laundering we’ve covered above.

On Twitter, Ronin Networks said, “It will take time for these funds to be returned to the Treasury.” Plante said much of the stolen funds remain in wallets under the hackers’ control. “We look forward to continuing to work with the cryptocurrency ecosystem to prevent them and other illicit actors from cashing out their funds.”