$30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered

US authorities recovered more than $30 million worth of cryptocurrency stolen by the North Korea-linked Lazarus APT from Axie Infinity.

A joint operation conducted by enforcement and leading organizations in the cryptocurrency industry allowed to recover more than $30 million worth of cryptocurrency stolen by North Korean-linked APT group Lazarus from online video game Axie Infinity.

In March, threat actors stole almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered after a user was unable to withdraw 5,000 ether.

The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.

The attackers have stolen roughly 173,600 ether and 25.5 million USDC.

According to a post published by Blockchain security firm Chainalysis, its Crypto Incident Response team played a role in these seizures, providing its advanced tracing techniques to follow stolen funds to cash out points. 

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” reads a post published by Chainalysis.

A report from The Block published in July and citing two people familiar with the matter revealed that threat actors targeted a senior engineer at the company with a fake job offer via LinkedIn.

The attackers offered a job with an extremely generous compensation package to a Sky Mavis engineer.

A PDF containing the offer was sent to the employee, once opened the file spyware compromised his system and infiltrate Ronin’s network. Once inside the company infrastructure, the threat actors were able to take over four out of nine validators on the Ronin network.

In April, the U.S. government blamed North Korea-linked APT Lazarus for the Ronin Validator cyber heist.

In July, the U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the North Korea-linked APT to receive the stolen funds. US organizations are forbidden to conduct any transactions with the above address.

Chainalysis’s report state that the attack began when the Lazarus Group gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge. Then the APT group used them to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC). Chainalysis began tracing the funds when the group initiated their laundering process. The group has highly sophisticated laundering capabilities, it leveraged over 12,000 different crypto addresses to date.

The DeFi laundering technique usually adopted by Lazarus is composed of five stages: 

1. Stolen Ether sent to intermediary wallets
2. Ether mixed in batches using Tornado Cash
3. Ether swapped for bitcoin
4. Bitcoin mixed in batches
5. Bitcoin deposited to crypto-to-fiat services for cashout

This process was also used to launder large portions of Ronin’s stolen funds.

After the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned in August the crypto mixer service Tornado Cash, the Lazarus APT Group started using DeFi services such as crypto bridges to launder the funds.

“Above, we see that the hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain. Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based laundering we covered above.” continues the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]