Law enforcement agencies and cryptocurrency organizations have recovered more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers in several separate seizures over the past few months, according to blockchain analysis firm Chainalysis.
The recovered funds were stolen by the Lazarus Group as part of a March $620 million virtual currency heist of a blockchain project, Ronin Network, linked to online game Axie Infinity. Law enforcement was able to seize approximately 10 percent of the total funds stolen from Axie Infinity, accounting for price differences between the time stolen and seized, according to Chainalysis, which monitors and analyzes blockchain activity, both on legitimate marketplaces and exchanges and on illegitimate ones.
Chainalysis said collaboration across private and public sectors and further transparency around cryptocurrency transactions can help law enforcement better crack down on similar illegal money laundering activities.
“Cryptocurrency’s transparency is instrumental to investigating hacks like the one suffered by Axie Infinity,” said Erin Plante, senior director of Investigations with Chainalysis, in a Thursday post. “Investigators with the right tools can follow the money to understand and disrupt a cybercrime organization’s laundering activities. This would never be possible in traditional financial channels, where money laundering usually involves networks of shell companies and financial institutions in jurisdictions that may not cooperate.”
After the Lazarus Group gained access to five private keys held by transaction validators – which verify transactions on a blockchain – for Ronin Network, they used the keys to approve two withdrawal transactions. From there, they laundered the funds using over 12,000 different crypto addresses. In order to hide their tracks, the Lazarus Group used a mix of processes that included sending stolen Ether to intermediary wallets, mixing it in batches, swapping it for Bitcoin, mixing it again before finally depositing that Bitcoin to crypto-to-fiat services for cashout.
One of the well-known cryptocurrency mixers used here by the Lazarus Group is Tornado Cash, which the U.S. Treasury recently sanctioned, saying it was used to launder more than $7 billion in illicit virtual currency payments. Plante said since these sanctions, Lazarus group has instead been using decentralized finance (DeFi) services to chain hop (where cryptocurrency is converted and funds are moved across blockchains, all in rapid succession, to make tracking more difficult).
“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate,” said Plante. “Lazarus appears to be using bridges in an attempt to obscure [the] source of funds.”
U.S. authorities have made some headway in their ability to track and seize illicit cryptocurrency funds from various cybercrimes. The seizure announcement comes months after the Department of Justice (DoJ) in July said it disrupted the activities of a North Korean state-sponsored group, known for deploying the Maui ransomware, and seized $500,000 from the actors in May. Just a month after the May 2021 Colonial Pipeline ransomware attack, the DoJ announced it had seized a large portion (63.7 bitcoins, valued at $2.3 million at the time) of the total ransom paid in the attack (75 bitcoins). In February, the DoJ seized $3.6 billion in Bitcoin connected to the 2016 Bitfinex hack – the largest recovery of stolen assets in cryptocurrency ever. Overall, the Internal Revenue Service’s criminal investigation unit seized $3.5 billion in cryptocurrency during fiscal 2021.