Sanctions imposed by the United States on Tornado Cash are causing North Korean hackers to avoid the cryptocurrency mixer, helping law enforcement seize back $30 million stolen from the Ronin cryptocurrency bridge.
Blockchain analysis firm Chainalysis today said it participated in an operation that recovered a chunk of the cryptocurrency stolen from the bridge, a sidechain built for the play-to-earn game Axie Infinity. Hackers the FBI has fingered as Pyongyang’s Lazarus Group stole more than $600 million in Ethereum from Ronin in March.
The Department of the Treasury in August prohibited anyone under U.S. jurisdiction from transacting with Tornado Cash, which pool funds and randomly distributes them to destination wallets in a bid to make tracing stolen cryptocurrency hard or impossible. Treasury says cybercriminals used the service to launder more than $7 billion worth of cryptocurrency. A lawsuit filed in federal court today seeks an injunction on the sanctions, arguing that the mixer also contributes to blockchain privacy (see: Coinbase Bankrolls Lawsuit Fighting Tornado Cash Sanctions).
Rather than run funds through Tornado Cash – as it already has for large portions of the Ronin haul – Lazarus Group is now attempting to obfuscate funds by switching them between several different kinds of cryptocurrencies in a single transaction, Chainalysis says. “Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity” writes Erin Plante, a Chainalysis senior director of investigations.
Much of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers’ control, she adds. “This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last.”
In March 2022, Ronin Network said attackers hijacked 173,600 ethereum and $25.5 million is U.S. currency, totaling to nearly $615 million. They breached Ronin security by gaining access to private keys, which they used to forge fake withdrawals.
An attacker took control of the validator nodes on the Sky Mavis and Axie DAO-operated Ronin blockchain, the company said at the time. Ronin Network powers the gaming marketplace for Axie Infinity, an NFT-driven game that is operated by Vietnam-based Sky Mavis. Gamers can create a Ronin wallet through Sky Mavis’ website to make intergame purchases. Validators moderate activity on the chain as a security measure, but the attacker was able to find an entry point through a backdoor.
“In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’ four Ronin Validators and a third-party validator run by Axie DAO,” the company said at the time.
The attackers used more than 12,000 addresses to launder the stolen funds, Chainalysis says in its latest update.