FBI Links North Korean Lazarus Hacking Group to Record-Setting Ronin Network Crypto Theft

by | Apr 26, 2022

A breach involving the popular NFT game “Axie Infinity” has been linked to North Korea’s state-backed hackers after an investigation by the FBI. The Lazarus hacking group is thought to be behind the crypto theft of over $600 million, the largest on record to hit a decentralized finance platform.

North Korean threat group named as leading suspect in crypto theft

The Lazarus hacking group appears to be the most likely party responsible for the April breach of the Ronin network, a bridge between the crypto platform and Axie Infinity. The NFT game has become the world’s most popular in recent months, pulling in about $1.3 billion in the past year.

The crypto theft occurred due to a social engineering attack that gave the hackers enough access to overcome the Ronin network’s “proof of authority” security system that relies on majority consensus to approve actions. The attacker leveraged dormant administrative accounts stolen from the NFT game to take over five of the nine validator nodes, allowing them use private keys to authorize fake transactions. The ability of the attackers to pull off an attack so easily raised alarms with security experts, given that Axie publisher Sky Mavis is a major player in the DeFi space.

The involvement of the Lazarus hacking group, which has been linked to numerous high-profile attacks for years, helps to explain how this all unfolded. The group is somewhat unique among state-backed attackers in its willingness to pull off high-profile heists, with the money used to fund the relatively isolated and impoverished North Korean regime. In this case the hackers were able to take at least $615 million, making this the largest crypto theft from a DeFi network in history and one of the largest to happen to any type of crypto platform.

The FBI named the Lazarus hacking group as the primary suspect after the Treasury Department found links between a wallet used to host the stolen funds and the threat actors. Parties that interact with this wallet are now subject to US sanctions.

Lazarus hacking group strikes again

There will be little recourse against the North Korean team, but the US is asking the United Nations Security Council to blacklist the Lazarus hacking group and order its assets to be frozen. No formal charges have been filed as of yet.

Lazarus has long been on the radar of international authorities, but its location in North Korea and the support of its government makes it nearly impossible to bring to justice. The group has been active for over a decade now and has tallied major breaches of Sony Pictures and a number of other organizations to collect a total of over a billion dollars. The group was also involved with the WannaCry ransomware outbreak of 2017.

The hackers will likely get away with this crypto theft too, as there are always exchanges around the world that pay no regard to international sanctions. Organizations that find themselves in the crosshairs of the group need to focus on defense, preventing them from getting in and getting access to valuables and sensitive information in the first place.

Recent Posts

How can we help?

4 + 12 =

× How can I help you?