Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

North Korea Avoids Tornado Cash After US Imposes Sanctions

Chainalysis Says It Helped Recover $30 Million in Hacked Ronin Bridge Crypto
North Korea Avoids Tornado Cash After US Imposes Sanctions

Sanctions imposed by the United States on Tornado Cash are causing North Korean hackers to avoid the cryptocurrency mixer, helping law enforcement seize back $30 million stolen from the Ronin cryptocurrency bridge.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Blockchain analysis firm Chainalysis today said it participated in an operation that recovered a chunk of the cryptocurrency stolen from the bridge, a sidechain built for the play-to-earn game Axie Infinity. The hackers, who the FBI has fingered as Pyongyang's Lazarus Group, stole more than $600 million in Ethereum from Ronin in March.

The Department of the Treasury in August prohibited anyone under U.S. jurisdiction from transacting with Tornado Cash, which pool funds and randomly distributes them to destination wallets in a bid to make tracing stolen cryptocurrency hard or impossible. Treasury says cybercriminals used the service to launder more than $7 billion worth of cryptocurrency. A lawsuit filed in federal court today seeks an injunction on the sanctions, arguing that the mixer also contributes to blockchain privacy (see: Coinbase Bankrolls Lawsuit Fighting Tornado Cash Sanctions).

Rather than run funds through Tornado Cash - as it already has for large portions of the Ronin haul - Lazarus Group is now attempting to obfuscate funds by switching them between several different kinds of cryptocurrencies in a single transaction, Chainalysis says. "Lazarus Group carried out hundreds of similar transactions across several blockchains to launder the funds they stole from Axie Infinity," writes Erin Plante, a Chainalysis senior director of investigations.

Much of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers' control, she adds. "This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we're confident it won't be the last."

Attack Timeline

In March 2022, Ronin Network said attackers hijacked 173,600 ethereum and $25.5 million in U.S. currency, totaling to nearly $615 million. They breached Ronin security by gaining access to private keys, which they used to forge fake withdrawals.

An attacker took control of the validator nodes on the Sky Mavis and Axie DAO-operated Ronin blockchain, the company said at the time. Ronin Network powers the gaming marketplace for Axie Infinity, an NFT-driven game that is operated by Vietnam-based Sky Mavis. Gamers can create a Ronin wallet through Sky Mavis' website to make intergame purchases. Validators moderate activity on the chain as a security measure, but the attacker was able to find an entry point through a backdoor.

"In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis' four Ronin Validators and a third-party validator run by Axie DAO," the company said at the time.

In April, Treasury sanctioned cryptocurrency wallets used by the attackers to receive stolen funds.

The attackers used more than 12,000 addresses to launder the stolen funds, Chainalysis says in its latest update.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.