red 
[Update: this blog has been updated to reflect US sanctions announced against the Ronin Bridge Exploiter’s Ethereum address on April 14th 2022]
Ronin Network announced on March 29 that 173,600 Ether (ETH) and 25.5 million USD coins were stolen from the Ronin cross-chain bridge six days earlier. The total value of the stolen crypto assets at the time of the theft was $540 million. This is the second biggest cryptocurrency theft of all time.
On April 14, the US Treasury’s Office of Foreign Assets Control (OFAC) announced new sanctions against the thief’s Ethereum address and named the owner of this address as the Lazarus Group – a North Korean state hacking group. The sanctions prohibit US persons and entities from transacting with this address to ensure that the state-sponsored group cannot cash out any further funds they continue to hold through US crypto exchanges.
The incident happened six days before Ronin announced the exploit. Amid the confusion over the delayed response, he announced that the exploit was only discovered after an attempt to withdraw 5,000 ETH from one of their users failed. At the time of discovery, the stolen funds were worth more than $615 million.
How the hack unfolded
According to an autopsy published by Ronin, the theft was the result of an attacker hacking the “validation nodes” of Ronin’s bridge. Funds can be moved out if approved by five of the nine validators. The attacker was able to obtain the private cryptographic keys belonging to the five validators, which was enough to steal the cryptoasset. The autopsy claims that “all evidence points to this attack being social engineering, not a technical flaw.”
Laundering stolen cryptocurrency
Elliptic’s internal analysis shows that by April 14, the attacker had managed to launder 18% of the stolen funds.
First, the stolen USDC was exchanged for ETH through decentralized exchanges (DEX) to prevent it from being seized. Tokens like stablecoins are controlled by their issuers, who in some cases can freeze tokens involved in illegal activities.
By converting tokens on DEXs, the hacker avoided AML and KYC checks performed on centralized exchanges. This is an increasingly common tactic seen in hacks of this type, as described in a recent report by Elliptic: “DeFi: Risk, Regulation and the Rise of Decriminalization”.
However, the attacker then began laundering $16.7 million worth of ETH through three centralized exchanges. This strategy is unusual for typical DeFi exploits given these exchanges’ anti-money laundering (AML) obligations, although it has been seen more often in past exploits linked to the Lazarus Group.
As the affected exchanges publicly announced that they would work with law enforcement to establish their identities, the attacker changed his money laundering strategy to instead use Tornado Cash – a popular mixer based on smart contracts on the Ethereum blockchain. Current transactions have sent $80.3 million of ETH through Tornado Cash so far.
Destination of 107 million ETH of stolen 540 million ETH & USDC.
The attacker’s blockchain activity shows that another $9.7 million worth of ETH is sitting in intermediary wallets ready to be laundered, most likely through Tornado Cash as well. This leaves a significant $433 million remaining in the attacker’s original wallet.
Elliptic investigators are tracking these stolen funds and have flagged the addresses associated with this attacker in our systems – ensuring our customers will be alerted if they receive any of these funds.
How the Lazarus Group launders its funds. Source: Elliptic Forensics.
Lazarus Group targets crypto entities
The Lazarus Group refers to a group of North Korean state hackers who have been targeting crypto entities since at least 2017. By 2021, most of this activity was directed at centralized exchanges located in South Korea or elsewhere in Asia. However, in the past year, the group’s attention has turned to DeFi services. While the service attacked in this case – the Ronin network bridge – is decentralized, the creators of the Sky Mavis network are based in Vietnam.
It is somewhat unsurprising that this attack has been attributed to North Korea. Many features of the attack mirrored the method used by the Lazarus Group in previous high-profile attacks, including the location of the victim, the method of attack (which is believed to have involved social engineering), and the laundering pattern the group used after the event.
Many commentators believe that the cryptoassets stolen by the Lazarus Group are being used to finance the country’s nuclear and ballistic missile programs. With recent reports that North Korea may be preparing for another nuclear test, today’s sanctions underscore the importance of ensuring that the Lazarus Group is unable to successfully launder the proceeds of these attacks.
You can learn more about Elliptic’s transaction tracking capabilities or contact us for a demo.
