North Korea’s ‘Lazarus’ Hacker Group and the $625M Ronin Network DeFi Exploit

North Korea's state-backed hacking group 'Lazarus Group' has been charged by US officials of stealing $625 million from Ronin Network, the host of Axie Infinity, in March.

The Treasury Department's Office of Foreign Assets Control announced additional sanctions against an Ethereum wallet that reportedly belongs to the renowned hacker gang on Thursday, according to an announcement. According to Etherscan, the move to sanction the wallet came after the hacker transferred around 18 percent of the cash to other wallets before transferring it in batches to Tornado Cash last.

The claimed wallet address also received 13,600 ETH and 25.5 million USDC from the Ronin smart contract during the hack, according to crypto research firm Chainalysis.

“Updates to OFAC’s SDN designation for Lazarus Group confirm that the North Korean cybercriminal group was behind the March hack of Ronin Bridge, in which over $600 million worth of ETH and USDC was stolen.” Chainalysis tweeted on Thursday following the sanctions.

Tornado Cash is a completely decentralized non-custodial protocol that has gained a reputation for being favored by criminals. Smart contracts that accept token deposits from one address and enable withdrawals from a another address are used in the protocol to facilitate private transactions. Apart from the fact that those contracts function as pools that mix all submitted assets, once money are removed from those pools by a completely new address, the on-chain link between the source and the destination is severed, making it incredibly difficult to track the lost monies.

According to a blog post by blockchain analytics firm Elliptic, the sanctions prevent US businesses from transacting with the red-listed Ethereum account in order to prevent exploiters from paying out stolen monies from any US-listed crypto exchange.

Following the US sanctions, currency mixer Tornado cash announced on Friday that it had implemented a Chainalysis-developed tool to automatically identify and ban crypto wallets that fall under the US Office of Foreign Assets Control (OFAC) sanction list.

According to Roman Semenov, one of the protocol's founders, the change may not achieve anything. Although all Tornado Cash transactions are public and can be monitored on a block explorer, he claims that "the smart contracts are immutable," making it technically impossible to impose sanctions against the protocol.

The Ronin hack has been one of the biggest so yet, surpassing the $600 million worth of tokens taken from Polynetwork in 2021. (but later returned). As blockchain networks grow more interoperable, attacks against blockchain bridges by entities like Lazarus have increased in the last two years. The North Korean gang has also been linked to a number of other cyberattacks, the most of which seek cryptocurrency as a ransom.