US links North Korea’s Lazarus Group to $625m crypto theft from Ronin

15 Apr 2022

Image: © JorgeEduardo/

The US Treasury and FBI linked the incident to the hacker group, which was previously blamed for the notorious WannaCry cyberattack in 2017.

The massive hack that saw more than $600m worth of cryptocurrency stolen from gaming-focused blockchain network Ronin last month has been linked to North Korean hacker group Lazarus.

Ronin, which is used for the NFT-based game Axie Infinity, said on its Substack that the FBI attributed the Lazarus Group to the security breach and that the US Treasury Department has sanctioned the address that received the stolen funds.

The FBI said in a statement yesterday (14 April) that through an investigation it was able to confirm that Lazarus and APT38, cyber actors “associated with” North Korea, were responsible for the threat.

The US Treasury also said it identified the digital currency address being used by the hackers as being under the control of the notorious North Korean group, and added the address to the sanctions listing for Lazarus.

A treasury spokesperson told Reuters the North Korean government has become reliant on “illicit activities” such as cybercrime to try evade US and UN sanctions while it generates revenue for its ballistic missile programmes.

The Lazarus Group was blamed for the notorious WannaCry cyberattack in 2017, which was unprecedented in scale at the time and wreaked havoc around the globe. This group is also believed to be behind the infamous hack of Sony Pictures Entertainment in 2014.

‘The largest-ever DeFi exploit’ went unnoticed for a week

On 29 March, Ronin said 173,600 Ethereum and 25.5m USDC – a stablecoin linked to the US dollar – were drained in two transactions.

Crypto analysis firm Chainalysis, which said it was tracking the stolen funds on Ronin’s behalf, tweeted that the hack was worth more than $625m, making it “the largest-ever DeFi exploit” recorded.

Ronin said validator nodes for Sky Mavis – the operator of Ronin and Axie Infinity – and Axie DAO validator nodes were compromised on 23 March. But it did not notice the breach until a week later, when a user reported they could not withdraw 5,000 Ethereum from the blockchain network’s bridge.

Last week, Sky Mavis announced a $150m funding round led by Binance. Ronin said this investment will be used along with Sky Mavis and Axie’s current balance sheet funds to reimburse users affected by the crypto theft.

Even though security is often seen as one of the major benefits of blockchain, cyberattacks are becoming more sophisticated all the time and major hacks have occurred in recent months.

One of the world’s largest cryptocurrency trading platforms by volume, Bitmart, was targeted last December by unidentified hackers, which lead to an estimated $196m worth of assets being stolen. Last August, an attack on decentralised finance platform Poly Network saw more than $600m in cryptocurrency stolen by exploiting a vulnerability in its system.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic