Official Axie Infinity website displayed on monitor showing suspected crypto theft by Lazarus hacking group

North Korea’s Lazarus Hacking Group Named as Potential Culprit Behind Record-setting Crypto Theft

The United States Treasury Department has linked North Korea’s state-sponsored Lazarus hacking group to the March 2022 breach of the Ronin network, the decentralized cryptocurrency platform primarily used as a bridge to fund the popular “Axie Infinity” game. The crypto theft was the largest to ever happen to a DeFi platform in terms of unrecovered funds, and one of the largest to happen in the history of cryptocurrency.

North Korean hackers have long been known to use cyber crime to fund the regime, which struggles economically under international sanctions and trade restrictions. About $615 million in assorted cryptocurrencies was stolen in late March as the attackers reportedly managed to social engineer employees into granting access to dormant accounts with high-level privileges.

Lazarus hacking group named in Axie Infinity breach

The US Treasury has not formally named the Lazarus hacking group as the culprit, but issued a statement indicating that the hackers used a digital currency wallet known to be used by North Korea’s state-sponsored teams. Interactions with that wallet can now expose trading partners to sanctions. And though formal charges have yet to be filed, the US has urged the United Nations Security Council to blacklist Lazarus and order a freeze of its assets. At this point the wallet contains about $445 million and some $86 million of the stolen funds have been moved through Tornado Cash, a “mixing” service that attempts to conceal the origin of and launder stolen crypto.

Though the US government is holding back from a formal charge of the Lazarus hacking group at this point, some security firms (including Chainalysis and Elliptic) have stepped forward with a more confident confirmation of North Korea’s involvement in the crime after an investigation that has now spanned several weeks. Sky Mavis, the publisher of Axie Infinity, has retained CrowdStrike which has yet to make a public comment.

The Lazarus hacking group has a long history of major cyber thefts and disruptions dating back to at least 2009. The group first surfaced in that year with a relatively crude series of distributed denial of service (DDoS) attacks on the South Korean government, but rapidly evolved its technique and tactics. In 2014 the group was linked to the major breach of Sony Pictures, in 2016 it stole $1 billion from the central bank of Bangladesh, and in 2017 was linked to both the WannaCry global ransomware outbreak and a string of attacks on cryptocurrency platforms that netted millions of dollars in stolen funds. The Lazarus hacking group was also very active during the Covid-19 pandemic in attempting to break into pharmaceutical companies conducting vaccine research.

John Bambenek, Principal Threat Hunter at Netenrich, observes that the sanctions will not likely mean much if the Lazarus hacking group is indeed involved in the crypto theft: “North Korea has been unique in that they have APT groups focused on stealing cryptocurrency. As North Korea is highly-sanctioned, cryptocurrency thefts are also a national security interest for them. Sanctioning the wallet probably won’t help too much as there are exchanges that don’t respect the OFAC list.”

Record-setting crypto theft targeted world’s most popular NFT game

Axie Infinity has existed for several years now, but saw a major surge in popularity toward the end of 2021 that made it the world’s most popular (and most lucrative) crypto game. It has leveraged the recent interest in NFTs by having players purchase a token that represents a monster that can be entered into the game to fight. The game’s revenues are up to over $1 billion per year as players spend around $100 USD for an entry-level “combat ready” monster, and the game’s “whales” spend as much as hundreds of thousands of dollars on each of their related NFTs.

It was that late 2021 surge of interest that (inadvertently) created the opening for the Lazarus hacking group. Confronted with a sudden influx of new players during the holiday season last year, the game’s administrators created a set of temporary accounts to assist in dealing with high-level actions such as authorizing transactions. As traffic stabilized into 2022, these temporary accounts were decommissioned but were not removed (and retained their privileges). The hackers somehow managed to talk Axie Infinity staff into granting them access to these accounts, which gave them the access and leverage to override the security node system protecting the Ronin network that underpins the game and facilitate the massive crypto theft.

Geoff Mattson, Senior Vice President of Product at LogRhythm, elaborated on why the new trend toward node-based security in the crypto world is concerning (as this case of crypto theft illustrates): “The Ronin side chain bridge in this case used a validation strategy called “proof-of-authority.” Older projects use “proof-of-work” validation which relies on showing use of compute power but this is considered wasteful, environmentally hostile and slow. Some newer projects use “proof-of-stake” validation which is very complex. With “proof-of-authority” a certain number of validator nodes can mint a transaction. All you need is 51% of these nodes to control the transactions. A 51% attack occurs when the majority of the validators are compromised … This trend is very concerning. Although it sounds like Ronin network was an easy target, the company behind it, Sky Mavis, is a leading crypto defi and gaming vendor with backing from A16Z. Other side-chain bridges are likely to be at least equally vulnerable.”

Sky Mavis has announced its intention to reimburse those that lost funds to the crypto theft with a combination of its money on hand and money raised in a new round of funding from investors. The theft of $615 million topped the previous largest theft from a DeFi network by a small margin, but that prior incident (the breach of Poly Network) saw the hackers return the vast majority of the funds in return for a payoff. It is presumed that if the Lazarus hacking group is truly behind the Ronin network breach, those funds (mostly Ethereum and a relatively new dollar-pegged token called USD Coin) will never be seen again.

The Ronin network bridge remains down as a forensic investigation of the crypto theft takes place and security is improved, but Sky Mavis has said that it plans to have it up again by the end of April.

Hank Schless, Senior Manager of Security Solutions at Lookout, shared some thoughts on what this improved security might ultimately look like: “Crypto platform providers need to ensure that their employees are protected and don’t become conduits for cybercriminals to make their way into the infrastructure. Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal a backstage pass to the company’s infrastructure. The risk of this happening can be reduced by implementing a powerful combination of a unified mobile threat defense (MTD) and cloud access security broker (CASB) solution that can protect the user on the endpoint and recognize anomalous activity indicative of a compromised employee account.”