Law enforcement officers, with the assistance of Chainalysis, an analytical blockchain company, arrested more than $30 million worth of cryptocurrency stolen during the Ronin sidechain hack in March.
15/ This seizure represents a huge milestone: The first time ever that cryptocurrency stolen by a North Korean hacking group has been recovered. Check out our latest blog for the full story. https://t.co/lpbFUlXNJt
— Chainalysis (@chainalysis) September 8, 2022
The attack by North Korean hackers from the Lazarus Group on the network involved in the game Axie Infinity has become one of the largest in the industry. The attackers gained access to five of the nine validator keys. They used the majority to approve two withdrawal transactions: 173,600 ETH and 25.5 million USDC. The value of the stolen assets at that time was $625 million.
After the hack, the hackers began a money laundering process that involved more than 12,000 different crypto addresses, Chainalysis noted.
Researchers have identified a typical crypto asset legalization scheme used by a North Korean group. According to them, it consisted of five stages:
- stolen ether was sent to intermediate wallets;
- coins were passed in batches through the Tornado Cash mixing service;
- the asset was exchanged for bitcoin;
- digital gold was sent to the cryptocurrency mixer;
- in the last phase, bitcoin was deposited on trading platforms for cashing out.
According to Chainalysis, the hackers replicated this process with most of the stolen funds.
In early August, the US Treasury imposed sanctions against Tornado Cash for laundering cryptocurrencies, including those associated with the Lazarus Group, in the amount of over $455 million. From that moment on, the group began to use DeFi services instead of the Ethereum mixer for transitions between blockchains and various types of cryptocurrencies in one transaction .
As an example, the researchers cited one of these transactions with stolen funds. During it, the hackers sent ETH from the Ethereum blockchain across the bridge to the BNB Chain, exchanged it for USDD, and transferred the stablecoins to the BitTorrent network.
The researchers noted that the inherent transparency of cryptocurrencies has greatly contributed to the tracking of stolen assets. The arrest of an amount of more than $30 million was the result of the cooperation of the Chainalysis team with law enforcement officers and coordination of actions with trading platforms, where the funds were received for cashing out.
According to the company, this is the first case of confiscation of a cryptocurrency associated with the Lazarus Group.
Most of the assets stolen from Ronin remain in wallets controlled by attackers, experts emphasized.
Researcher ₿liteZero from SlowMist also concluded that the sidechain crackers transferred a significant part of the cryptocurrency into bitcoin using transaction confidentiality tools.
Stay in touch! Subscribe to World Stock Market at Telegram.