Federal investigators and private companies seized $30 million in cryptocurrency stolen in March by North Korean-linked APT gang Lazarus Group from a video game developer, the latest example of the growing skills of government and cybersecurity experts to track and recover such ill-gotten gains.
News of the seizure was announced this week at AxieCon, the user conference for Axie Infinity, the video game developed by Sky Mavis that allows players to win Ethereum. In March Sky Mavis saw the Lazarus Group steal $620 million from a decentralized finance (DeFi) platform used by the game and launder the bulk of it.
While the money grabbed back is only a fraction of what was stolen, it shows it is increasingly difficult for cybercriminals to hide the stolen crypto from government and private investigators, according to Erin Plante, senior director of investigations at blockchain research firm Chainalysis, one of the players instrumental in tracking down and grabbing back the money.
Plante also said she expects more stolen cash to be clawed back from North Korean groups.
“We have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers,” she wrote in a blog post. “There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer.”
News of the crypto recovery comes fewer than two months after the US Department of Justice and the FBI announced they had seized about $500,000 that healthcare facilities in the US had been to the Maui ransomware group, another North Korean state-sponsored cyber-crew.
The US has aggressively targeted threat groups connected to North Korea – which uses stolen cryptocurrencies to get around sanctions and to fund its defense programs – and software that help launder the stolen money, such as crypto-mixers like Tornado Cash.
Anatomy of a massive heist
In the Axie Infinity case, the Lazarus Group crooks gained access to five of the nine private keys used by transaction validators for Ronin Network, an Ethereum-based DeFi platform used by the game developer. With that access, the group approved two crypto transactions of 173,600 Ether and 25.5 million in USD Coin, according to Plante.
Much of the money was laundered through Tornado Cash, an Ethereum-based crypto mixer that processes huge numbers of transactions, obfuscating the currency’s origin, destination, and parties involved. In this case, the Ether was mixed in batch, swapped for Bitcoin, which in turn was mixed in batches and deposited to crypto-to-fiat services to be cashed out.
Last month the US Treasury Department placed sanctions on Tornado Cash for laundering more than $455 million stolen by Lazarus Group. Three months earlier, Treasury had placed similar sanctions on Blender, another crypto mixer.
Action and reaction
After the sanctions against Tornado Cash, Lazarus Group shifted much of its laundering efforts to “DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction,” Plante wrote. “Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds.”
The transparency inherent in crypto is key to investigating cases like Axie Infinity, including seeing how the money moves and is laundered, she wrote, something that is much more difficult to do with traditional financial channels, which can involve shell companies and financial institutions around the world.
This comes as DeFi platforms are routinely being targeted by such entities as Lazarus Group. According to Chainalysis, cybercriminals stole $1.68 billion in cryptocurrencies in the first four months of the year, with more than 95 percent of those siphoned from DeFi platforms.
North Korean groups as of August have hauled in at least $840 million this year. That includes $100 million taken from the blockchain network Harmony, another theft attributed to Lazarus Group.
The US has been pushing back, offering rewards of up to $10 million for information about North Korean-linked cybercrooks and charging suspected Lazarus members. In addition, Dutch authorities last month arrested a 29-year-old developer with suspected ties to the group.
In the Axie Infinity case, while authorities have seized the $30 million in crypto, it could be a while before Sky Mavis gets its money back. Company co-founder Aleksander Leonard Larsen told CNN that law enforcement officials have frozen the money and that none has yet been returned.
“We expect it to take time until the community gets the funds back,” he said told the outlet. “Note also that all user funds have been reimbursed.” ®