red 
[Update: this blog has been updated to reflect US sanctions announced against the Ronin Bridge Exploiter’s Ethereum address on April 14th 2022]
On March 29, Ronin Network announced that 173,600 Ether (ETH) and 25.5 million USD coins were stolen from the Ronin cross-chain bridge six days earlier. The total value of the stolen crypto assets at the time of the theft was $540 million. This is the second biggest cryptocurrency theft of all time.
On April 14, the US Treasury’s Office of Foreign Assets Control (OFAC) announced new sanctions against a thief’s Ethereum address and named the owner of this address as the Lazarus Group – a North Korean state hacking group. The sanctions prohibit US persons and entities from transacting with this address to ensure that the state-sponsored group cannot cash out any further funds they continue to hold through US crypto exchanges.
The incident happened six days before Ronin announced the exploit. Amid the confusion over the delayed response, he announced that the exploit was only discovered after an attempt to withdraw 5,000 ETH from one of their users failed. At the time of discovery, the stolen funds were worth more than $615 million.
How the hack unfolded
According to a post mortem announced by Ronin, the theft was the result of attackers hacking the “validation nodes” of the Ronin Bridge. Funds can be moved out if five out of nine validators approve.
The attacker was able to obtain the private cryptographic keys belonging to the five validators, which was enough to steal the cryptoasset. The autopsy claims that “all evidence points to this attack being social engineering, not a technical flaw“.
Laundering stolen cryptocurrency
Elliptic’s internal analysis shows that by April 14, the attacker had managed to launder 18% of the stolen funds.
First, the stolen USDC was exchanged for ETH through decentralized exchanges (DEX) to prevent it from being seized. Tokens like stablecoins are controlled by their issuers, who in some cases can freeze tokens involved in illegal activities.
By converting tokens on DEXs, the hacker avoided anti-money laundering (AML) and ‘know your customer’ (KYC) checks performed on centralized exchanges. This is an increasingly common tactic seen in hacks of this type, as described in a recent Elliptic report: “DeFi: Risk, Regulation and the Rise of Decriminalization”.
However, the attacker then began laundering $16.7 million worth of ETH through three centralized exchanges. This strategy is unusual for typical DeFi exploits given the AML obligations of these exchanges, although it has been more commonly seen in past exploits associated with Lazarus groups.
As the affected exchanges publicly announced that they would work with law enforcement to establish their identities, the attacker changed his money laundering strategy to instead use Tornado Cash – a popular mixer based on smart contracts on the Ethereum blockchain. Current transactions have sent $80.3 million of ETH through Tornado Cash so far.
Destination of 107 million ETH of stolen 540 million ETH & USDC.
The attacker’s blockchain activity shows that another $9.7 million worth of ETH is sitting in intermediary wallets ready to be laundered, most likely through Tornado Cash as well. This leaves a significant $433 million remaining in the attacker’s original wallet.
Elliptic investigators are tracking these stolen funds and have flagged the addresses associated with this attacker in our systems – ensuring our customers will be alerted if they receive any of these funds.
How the Lazarus Group launders its funds. Source: Elliptic Forensics.
Lazarus Group targets crypto entities
The Lazarus Group refers to a group of North Korean state hackers that have been targeting crypto entities since at least 2017. By 2021, most of this activity was directed at centralized exchanges located in South Korea or elsewhere in Asia. However, over the past year, the group’s attention has turned to DeFi services. While the service attacked in this case – the Ronin network bridge – is decentralized, the creators of the Sky Mavis network are based in Vietnam.
It is somewhat unsurprising that this attack has been attributed to North Korea. Many features of the attack mirrored the method used by the Lazarus Group in previous high-profile attacks, including the location of the victim, the method of attack (which is believed to have involved social engineering), and the laundering pattern the group used after the event.
Many commentators believe that the cryptoassets stolen by the Lazarus Group are being used to finance the country’s nuclear and ballistic missile programs. With recent reports that North Korea may be preparing for another nuclear test, today’s sanctions underscore the importance of ensuring that the Lazarus Group is unable to successfully launder the proceeds of these attacks.
Contact us
You can learn more about Elliptic’s transaction tracking capabilities or contact us for a demo.
