Chainalysis helps authorities seize $30m of Ronin hack‑related cryptocurrency

Law enforcement, with the assistance of blockchain analytics firm Chainalysis, arrested the cryptocurrency stolen in the March hack of the Ronin sidechain, worth more than $30 million.

15/ This seizure represents a huge milestone: The first time ever that cryptocurrency stolen by a North Korean hacking group has been recovered. Check out our latest blog for the full story. https://t.co/lpbFUlXNJt

— Chainalysis (@chainalysis) September 8, 2022

The Lazarus Group’s attack on the Axie Infinity network used in the game became one of the largest in the industry. The attackers gained access to five of the nine validator keys. They used most of them to approve two withdrawal transactions: 173,600 ETH and 25.5 million USDC. The value of the stolen assets at the time was $625 million.

Following the hack, the attackers began laundering the funds, using more than 12,000 different crypto addresses, Chainalysis noted.

Researchers identified the typical scheme used by the North Korean group to launder crypto assets. It consisted of five stages:

• The stolen ETH was sent to intermediate wallets;
• the coins were run in batches through the Tornado Cash mixing service;
• the asset was exchanged for Bitcoin;
• the digital gold was sent to a cryptocurrency mixer;
• in the final phase, Bitcoin was deposited on trading platforms to cash out.

According to Chainalysis, the hackers replicated this process with most of the stolen funds.

In early August, the U.S. Treasury imposed sanctions on Tornado Cash for laundering cryptocurrency, including those tied to the Lazarus Group, totaling more than $455 million. Since then, the group has turned to DeFi services to move between blockchains and different types of cryptocurrency in a single transaction.

As an example, researchers cited one such operation with stolen funds. In its course the hackers sent ETH from the Ethereum blockchain through the bridge to the BNB Chain, swapped it for USDD, and moved the stablecoins to the BitTorrent network.

Researchers noted that tracking stolen assets was greatly aided by the inherent transparency of cryptocurrencies. The seizure of more than $30 million was the result of collaboration between the Chainalysis team and law enforcement, and coordination with the exchanges where the funds were deposited for cashing out.

According to the company, this is the first confiscation of Lazarus Group-linked cryptocurrency.

Most of the Ronin assets stolen remain in wallets controlled by the attackers, experts emphasised.

Earlier, SlowMist researcher ₿liteZero also concluded that the sidechain hackers transferred a significant portion of the cryptocurrency to Bitcoin using privacy tools for transactions.

Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.