North Korean hackers behind second-largest crypto hack
The Ronin Network this week said that North Korean cyber criminals were behind the $540 million crypto hack (at time of theft) it experienced last month after U.S. law enforcement provided a key link.
On Thursday, the U.S. Treasury Department’s Office of Foreign Asset Controls (OFAC) sent out an updated list of sanctioned entities with a new Ethereum address in North Korea’s capital city, Pyongyang. Two hours later, an update from Ronin Network developers stated that the Federal Bureau of Investigation (FBI) attributed Ronin's security breach to the Lazarus Group.
The discovery raises the stakes for crypto security, especially in decentralized finance (DeFi), to the level of national security, according to Blockchain analytics experts.
“This is a grave national security concern,” according to Erin Plante, Senior Director of Investigations with the blockchain analytics firm Chainalysis, adding “[Lazarus Group] have stolen billions of dollars' worth of crypto and the UN has connected this activity to funding their nuclear program.”
On March 23, hackers drained 173,600 ether (ETH) and 25.5M of the stablecoin, USD coin (USDC) from one of the Ethereum sidechain’s crypto bridges on the Ronin Network.
Ari Redbord, head of legal and government affairs with the blockchain analysis firm TRM Labs, said his team previously held suspicions that Lazarus might be behind crypto’s second-largest hack. The firm independently confirmed the link after U.S. officials provided the new wallet address.
Though not stunned by the connection, Redbord — a former advisor to the the Terrorism and Financial Intelligence undersecretary with the Treasury Department — admitted he was “still taken aback.”
“The exploit was very sophisticated, targeted and based on social engineering,” Redbord told Yahoo Finance. “For years, social engineering has been a hallmark of North Korean cyber criminal groups and Lazarus in particular.”
Ronin developers plan to enhance security measures after the attack — with a full post-mortem detailing all security measures promised by the end of April. Before the attack, Ronin had lower protections in place compared with what is used on larger protocols. Ronin used validator computers to approve network transactions, with at least five of the nine validators needing to provide a signature to approve any transaction.
A side chain of the Ethereum blockchain, the Ronin Network serves as the payment rails for the popular play-to-earn game, Axie Infinity.
After Axie Infinity creator Sky Mavis gave the game’s decentralized autonomous organization (DAO) permission to validate transactions during a high-volume period in November, Lazarus managed to use the DAO’s permission to access one of Ronin’s five validators.
With this latest hack, Chainalysis told Yahoo Finance since 2018, it attributes 34 different exploits amounting the theft of $2.1 billion in stolen cryptocurrencies to Lazarus Group.
Early adopters in the use of cryptocurrency for ransomware payments, the Lazarus Group attacked Sony Pictures in 2014, eventually stealing intellectual property, employee details and leading to the company’s decision to pull their comedy film, “The Interview,” which revolved around two American journalists who interview the country’s dictator, Kim Jung-un.
Three years later, the Lazarus Group targeted Microsoft Windows operating systems in a massive ransomware campaign that demanded payment in Bitcoin and spanned 200,000 computers across 150 different countries.
For years, the U.S. (1) and U.N. have recognized North Korean cyber hacking groups, Lazarus most of all, as attacking foreign entities in order to both destabilize other nations and to earn revenue for the government under increased global sanctions.
In part, the revenue has gone towards expanding the country’s nuclear weapons and ballistic missile programs, per Chainalysis and a February story from Reuters.
While most crypto theft this year can be traced to two incidents — Ronin and the $320 million theft from another crypto bridge, Wormhole — Plante said theft from DeFi protocols has made it the source of 97% of all cryptocurrency stolen in the first quarter of this year.
Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp.
Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.https://t.co/tzZe7bVjZt
— 🌪️ Tornado.cash 🌪️ (@TornadoCash) April 15, 2022
Though added to OFAC’s list of sanctioned entities, Lazarus wallet address connected to the Ronin bridge hack has sent some of the funds to the Ethereum mixer, Tornado Cash, which for months has been used by the privacy-minded and hackers laundering stolen cryptocurrency.
On Friday morning, Tornado Cash confirmed that it uses a Chainalysis tool that blocks OFAC listed addresses from using its application services.
However, the underlying smart contracts for the decentralized mixing service cannot be changed according to Tornado Cash’s technical lead, Roman Semenov.
David Hollerith covers cryptocurrency for Yahoo Finance. Follow him @dshollers.
Read the latest financial and business news from Yahoo Finance
Follow Yahoo Finance on Twitter, Instagram, YouTube, Facebook, Flipboard, and LinkedIn