Lazarus Group Is Behind Axie Infinity Crypto Hack And Attacks On Chemical Sector Worth $540 Million

The US Treasury Department has implicated the North Korean-backed Lazarus Group (aka Hidden Cobra) in stealing $540 million from the Ronin Network of the Axie Infinity video game last month.

On Thursday, the Treasury Department linked the Ethereum wallet address that received the stolen funds to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list .

“The FBI, in coordination with the Treasury Department and other U.S. government partners, will continue to expose and combat the DPRK’s use of illegal activities — including cybercrime and cryptocurrency theft — to generate revenue for the regime,” the intelligence and agency said law enforcement agency in a statement.

The cryptocurrency heist, the second largest cryptocurrency theft to date, involved siphoning 173,600 ether (ETH) and 25.5 million USD coins from the Ronin cross-chain bridge, which allows users to transfer their digital assets from one crypto network to another transferred to. on March 23, 2022.

“The attacker used hacked private keys to spoof fake payouts,” the Ronin Network stated in its disclosure report a week after the incident broke.

Internet security

The sanctions ban US individuals and companies from doing business with the offending address to ensure the state-sponsored group cannot disburse any further funds. An analysis by Elliptic has revealed that the actor managed to stay alive until April 14.

“First, the stolen USDC was exchanged for ETH via decentralized exchanges (DEXs) to prevent it from being seized,” Elliptic noted. “By converting the tokens at DEXs, the hacker bypassed anti-money laundering (AML) and ‘Know Your Customer’ (KYC) checks performed on centralized exchanges.”

Nearly $80.3 million of the laundered funds involved the use of Tornado Cash, a mixing service on the Ethereum blockchain that aims to obfuscate the trail of the funds, with another $9.7 million in ETH likely on be washed the same way.

The Lazarus Group, an umbrella name for prolific state-sponsored actors operating on behalf of North Korean strategic interests, has had a track record of conducting cryptocurrency thefts to evade sanctions and fund the country’s nuclear and ballistic missile programs since at least 2017.

“The country’s espionage operations are believed to reflect the immediate concerns and priorities of the regime, which is currently likely focused on acquiring financial resources through crypto heists, targeting media, news and political entities. [and] Information on foreign relations and nuclear information,” Mandiant pointed out in a recent deep dive.

The US Cybersecurity and Infrastructure Security Agency (CISA) has portrayed cyber actors as an increasingly sophisticated group that has developed and deployed a wide range of malware tools worldwide to facilitate these activities.

The group is known to have looted an estimated $400 million worth of digital assets from crypto platforms in 2021, a 40% jump from 2020 according to Chainalysis, which noted that “only 20% of the funds stolen were Bitcoin was. [and that] Ether accounted for a majority of the stolen funds at 58%.”

Despite US government sanctions against the hacking collective, the group’s recent campaigns have capitalized on trojanized DeFi (Decentralized Finance) wallet apps to open Windows systems through backdoors and misuse funds from unsuspecting users.

That’s not all. In another cyber offensive released this week by Broadcom Symantec, the actor was observed targeting South Korean companies involved in the chemical sector in what appears to be a continuation of a malware campaign dubbed “Operation Dream Job,” which caused the Findings from Google’s Threat Analysis Group confirmed in March 2022.

Internet security

The attacks, discovered in early January, began with a suspicious HTM file, either received as a link in a phishing email or downloaded from the web, which, when opened, triggers an infection sequence that eventually leads to retrieval of a payload of the second tier runs a remote server to facilitate further incursions.

The goal of the attacks, according to Symantec, is “to obtain intellectual property to further North Korea’s own efforts in this area.”

The ongoing onslaught of illegal activities by the Lazarus group has also prompted the US State Department to announce a $5 million reward for “information leading to the disruption of the financial mechanisms of individuals engaged in certain activities in support of North Korea.” .

The development comes days after a US court in New York sentenced Virgil Griffith, a 39-year-old former Ethereum developer, to five years and three months in prison for helping North Korea use virtual currencies to evade sanctions .

To make matters worse, malicious actors stole $1.3 billion worth of cryptocurrency in the first three months of 2022 alone, compared to $3.2 billion looted throughout 2021, which is what suggesting a “meteotic rise” in crypto platform thefts.

“Nearly 97% of all cryptocurrencies stolen in the first three months of 2022 came from DeFi protocols, up from 72% in 2021 and just 30% in 2020,” Chainalysis said in a report published this week.

“However, with DeFi protocols in particular, the biggest thefts are usually due to buggy code. Code exploits and flash loan attacks — a type of code exploit that involves manipulating the prices of cryptocurrencies — accounted for much of the value stolen outside of the ronin attack,” the researchers said.

New Technology Era

Leave a Reply

Your email address will not be published. Required fields are marked *