The US Federal Bureau of Investigations (FBI) has linked a $757 million cryptocurrency theft last month to North Korean hackers after more than 173,000 Ethereum was stolen from a blockchain tied to popular non-fungible token (NFT) game Axie Infinity.
On Friday, the FBI posted a short notice confirming that the known North Korean hacker group from advanced persistent threat 38 (APT 38) – also known as the Lazarus Group – was behind one of the largest single cryptocurrency thefts of all time.
In late March, Lazarus exploited the Ronin bridge moving 174,600 Ethereum and 25.5 million of the USDC stablecoin in two transactions that bled the service dry.
Bridges are used to move crypto tokens and other assets between blockchain networks.
Ronin is known as the bridge for players of Axie Infinity, an NFT game especially popular in the Philippines where people have been earning small incomes from gaming, to cash out from the native AXS token.
“The attacker used hacked private keys in order to forge fake withdrawals,” Ronin said in a blog post about the incident.
Sky Mavis, the Vietnamese company that runs Axie Infinity, runs its own blockchain on Ronin with nine validator nodes.
Validator systems are typically designed such that a fraudulent transaction recognised by one validator doesn’t get stamped onto the blockchain unless it gets approved by at least a majority – in the case of Sky Mavis’s chain on the Ronin bridge, five out of nine validator nodes have to approve every deposit and withdrawal.
Lazarus gained access to five of those nine validator nodes and withdraw a massive amount of cryptocurrency without the network even noticing any malicious activity.
It was only when another user tried unsuccessfully to move five Ethereum ($20,000) from Ronin that developers finally cottoned onto the heist.
Sky Mavis CEO Nguyen Thanh Trung said he was “upset and angry” about the attack.
“This is the money of many players and investors and could have a direct impact on their lives,” he told a public forum last week, according to Vietnamese news site VnExpress.
Most of the stolen Ethereum (134,707 – today worth around $560 million) is still sitting in the hacker’s wallet, as visible on Etherscan.
Lazarus will now be looking for ways to move its stolen cryptocurrency despite being blacklisted by major exchanges and closely monitored by law enforcement around the world.
This is not an unfamiliar process for the group which had stolen some $620 million worth of cryptocurrency in 2021, running it through decentralised exchanges and mixers in an attempt to launder the crypto and ramp back onto the global financial market.
There are concerns North Korea funds its nuclear and long-range missile programs through cybercrime activities using sophisticated hacking techniques.
Hackers from the rogue state were pioneers of ransomware, launching WannaCry attacks around the world, locking up systems and demanding payment in bitcoin.