• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Digital ID
  • Hacking
  • Security
  • $30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered

$30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered

Pierluigi Paganini September 09, 2022

US authorities recovered more than $30 million worth of cryptocurrency stolen by the North Korea-linked Lazarus APT from Axie Infinity.

A joint operation conducted by enforcement and leading organizations in the cryptocurrency industry allowed to recover more than $30 million worth of cryptocurrency stolen by North Korean-linked APT group Lazarus from online video game Axie Infinity.

In March, threat actors stole almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered after a user was unable to withdraw 5,000 ether.

The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.

axie infinity arena Ronin

The attackers have stolen roughly 173,600 ether and 25.5 million USDC.

According to a post published by Blockchain security firm Chainalysis, its Crypto Incident Response team played a role in these seizures, providing its advanced tracing techniques to follow stolen funds to cash out points. 

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” reads a post published by Chainalysis.

A report from The Block published in July and citing two people familiar with the matter revealed that threat actors targeted a senior engineer at the company with a fake job offer via LinkedIn.

The attackers offered a job with an extremely generous compensation package to a Sky Mavis engineer.

A PDF containing the offer was sent to the employee, once opened the file spyware compromised his system and infiltrate Ronin’s network. Once inside the company infrastructure, the threat actors were able to take over four out of nine validators on the Ronin network.

In April, the U.S. government blamed North Korea-linked APT Lazarus for the Ronin Validator cyber heist.

In July, the U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the North Korea-linked APT to receive the stolen funds. US organizations are forbidden to conduct any transactions with the above address.

Chainalysis’s report state that the attack began when the Lazarus Group gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge. Then the APT group used them to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC). Chainalysis began tracing the funds when the group initiated their laundering process. The group has highly sophisticated laundering capabilities, it leveraged over 12,000 different crypto addresses to date.

The DeFi laundering technique usually adopted by Lazarus is composed of five stages: 

  1. Stolen Ether sent to intermediary wallets
  2. Ether mixed in batches using Tornado Cash
  3. Ether swapped for bitcoin
  4. Bitcoin mixed in batches
  5. Bitcoin deposited to crypto-to-fiat services for cashout

This process was also used to launder large portions of Ronin’s stolen funds.

axie ronin

After the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned in August the crypto mixer service Tornado Cash, the Lazarus APT Group started using DeFi services such as crypto bridges to launder the funds.

“Above, we see that the hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain. Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based laundering we covered above.” continues the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT Axie Infinity DeFi Hacking hacking news information security news IT Information Security Pierluigi Paganini Security News

you might also like

Pierluigi Paganini June 27, 2025
APT42 impersonates cyber professionals to phish Israeli academics and journalists
Read more
Pierluigi Paganini June 26, 2025
Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

    Security / June 26, 2025

    CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

    Hacking / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT