blog.chainalysis.com
Open in
urlscan Pro
104.196.239.80
Public Scan
Submitted URL: https://info.chainalysis.com/NTAzLUZBUC0wNzQAAAGG3TmOrRloQ4msZQ_QIgCbYWfTcPOePT76MSr2DxjD2oysD22Df-7R3DqQCvEHLn5iU2Tnv2g=
Effective URL: https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Q...
Submission: On September 15 via api from US — Scanned from DE
Effective URL: https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Q...
Submission: On September 15 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="mktoForm_1232" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Arial, Verdana, sans-serif; font-size: 24px; color: rgb(51, 51, 51); width: 486px;" __bizdiag="2048253403" __biza="WJ__">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoDownloadButton .mktoButton {
position: relative;
display: inline-block;
vertical-align: top;
height: 36px;
line-height: 35px;
padding: 0 20px;
font-size: 13px;
color: white;
text-align: center;
text-decoration: none;
text-shadow: 0 -1px rgba(0, 0, 0, 0.4);
background-clip: padding-box;
border: 1px solid;
border-radius: 2px;
cursor: pointer;
-webkit-box-shadow: inset 0 1px rgba(255, 255, 255, 0.1), inset 0 0 0 1px rgba(255, 255, 255, 0.08), 0 1px 2px rgba(0, 0, 0, 0.25);
box-shadow: inset 0 1px rgba(255, 255, 255, 0.1), inset 0 0 0 1px rgba(255, 255, 255, 0.08), 0 1px 2px rgba(0, 0, 0, 0.25);
background: #3b5ca0;
border-color: #2d477b #2d477b #263c68;
background-image: -webkit-linear-gradient(top, #4369b6, #3b5ca0 66%, #365391);
background-image: -moz-linear-gradient(top, #4369b6, #3b5ca0 66%, #365391);
background-image: -o-linear-gradient(top, #4369b6, #3b5ca0 66%, #365391);
background-image: linear-gradient(to bottom, #4369b6, #3b5ca0 66%, #365391);
}
.mktoForm .mktoButtonWrap.mktoDownloadButton .mktoButton:before {
content: "";
position: absolute;
top: 0;
bottom: 0;
left: 0;
right: 0;
pointer-events: none;
background-image: -webkit-radial-gradient(center top, farthest-corner, rgba(255, 255, 255, 0.08), rgba(255, 255, 255, 0));
background-image: -moz-radial-gradient(center top, farthest-corner, rgba(255, 255, 255, 0.08), rgba(255, 255, 255, 0));
background-image: -o-radial-gradient(center top, farthest-corner, rgba(255, 255, 255, 0.08), rgba(255, 255, 255, 0));
background-image: radial-gradient(center top, farthest-corner, rgba(255, 255, 255, 0.08), rgba(255, 255, 255, 0));
}
.mktoForm .mktoButtonWrap.mktoDownloadButton .mktoButton:hover:before {
background-image: -webkit-radial-gradient(farthest-corner, rgba(255, 255, 255, 0.18), rgba(255, 255, 255, 0.03));
background-image: -moz-radial-gradient(farthest-corner, rgba(255, 255, 255, 0.18), rgba(255, 255, 255, 0.03));
background-image: -o-radial-gradient(farthest-corner, rgba(255, 255, 255, 0.18), rgba(255, 255, 255, 0.03));
background-image: radial-gradient(farthest-corner, rgba(255, 255, 255, 0.18), rgba(255, 255, 255, 0.03));
}
.mktoForm .mktoButtonWrap.mktoDownloadButton .mktoButton:active {
background: #3b5ca0;
border-color: #263c68 #2d477b #2d477b;
-webkit-box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.2);
box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.2);
}
.mktoForm .mktoButtonWrap.mktoDownloadButton .mktoButton:active:before {
content: none;
}
.mktoForm .mktoButtonWrap.mktoDownloadButton button.mktoButton {
background: #101729;
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth"
style="width: 600px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoDownloadButton" style="margin-left: 25px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1232"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="503-FAP-074"><input type="hidden" name="converting_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="converting_source__c"
value="direct"><input type="hidden" name="converting_medium__c" value="none"><input type="hidden" name="converting_term__c" value="not provided"><input type="hidden" name="converting_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"><input
type="hidden" name="original_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="original_source__c" value="direct"><input type="hidden" name="original_medium__c" value="none"><input type="hidden" name="original_term__c"
value="not provided"><input type="hidden" name="original_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"><input
type="hidden" name="converting_timestamp__c" class="mktoField mktoFieldDescriptor" value="2022-09-15 08:54:06"><input type="hidden" name="converting_source__c" class="mktoField mktoFieldDescriptor" value="direct"><input type="hidden"
name="converting_medium__c" class="mktoField mktoFieldDescriptor" value="none"><input type="hidden" name="converting_term__c" class="mktoField mktoFieldDescriptor" value="not provided"><input type="hidden" name="converting_landing_page__c"
class="mktoField mktoFieldDescriptor"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"><input
type="hidden" name="original_timestamp__c" class="mktoField mktoFieldDescriptor" value="2022-09-15 08:54:06"><input type="hidden" name="original_source__c" class="mktoField mktoFieldDescriptor" value="direct"><input type="hidden"
name="original_medium__c" class="mktoField mktoFieldDescriptor" value="none"><input type="hidden" name="original_term__c" class="mktoField mktoFieldDescriptor" value="not provided"><input type="hidden" name="original_landing_page__c"
class="mktoField mktoFieldDescriptor"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw">
</form>GET https://blog.chainalysis.com/
<form method="get" class="search-form" action="https://blog.chainalysis.com/" __bizdiag="115" __biza="WJ__">
<input type="search" class="search-field" name="s" placeholder="Search..." value="" required="">
<button type="submit" class="search-submit visuallyhidden">Submit</button>
<p class="message"> Type above and press <em>Enter</em> to search. Press <em>Esc</em> to cancel. </p>
<input type="hidden" name="converting_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="converting_source__c" value="direct"><input type="hidden" name="converting_medium__c" value="none"><input type="hidden"
name="converting_term__c" value="not provided"><input type="hidden" name="converting_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"><input
type="hidden" name="original_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="original_source__c" value="direct"><input type="hidden" name="original_medium__c" value="none"><input type="hidden" name="original_term__c"
value="not provided"><input type="hidden" name="original_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Arial, Verdana, sans-serif; font-size: 24px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
__bizdiag="-432733303" __biza="WJ__"><input type="hidden" name="converting_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="converting_source__c" value="direct"><input type="hidden" name="converting_medium__c"
value="none"><input type="hidden" name="converting_term__c" value="not provided"><input type="hidden" name="converting_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"><input
type="hidden" name="original_timestamp__c" value="2022-09-15 08:54:06"><input type="hidden" name="original_source__c" value="direct"><input type="hidden" name="original_medium__c" value="none"><input type="hidden" name="original_term__c"
value="not provided"><input type="hidden" name="original_landing_page__c"
value="https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/?mkt_tok=NTAzLUZBUC0wNzQAAAGG3TmOreIT8Cmg-Qd1YuOUGVsF3zgW0C-nejpZQ8Zcr79uUXWAxrI5DlbYR4xFzczIx1Fr2LRz2mytZ6JbzMAtOCEWp2_RG1LO518-Zkw4jgHw"></form>Text Content
* Products
* Solutions
* Services
* Insights
* Company
* Contact Us
WHY CHAINALYSIS
Turn blockchain transactions into insights and risk into compliance
* Reactor Blockchain analysis for financial crime investigations
* KYT Transaction Monitoring for AML/CFT compliance
* Address Screening Prevent high-risk users from connecting to your platform
* Business Data Customer intelligence for crypto businesses
* Kryptos Free Sanctions Screening
* Compliance Ensure you meet evolving local and global regulations
* Investigations Detect and investigate crypto crime
* DeFi Safely participate in the DeFi revolution
* NFTs Ensure safe access and controls for NFTs with purpose-built solutions
* Investigations & Special Programs Professional investigators providing
forensic analysis to resolve cybersecurity breaches and trace stolen funds
* Crypto Incident Response Professional expertise and investigative
capabilities for recovering lost funds in the event of a cyber incident
* Training & Certification Crypto fundamentals and product courses Chainalysis
Academy Get started with short training courses
* BLOG
Crime Markets Policy & Regulation Crypto Basics Chainalysis in Action Company
News
* WEBINARS
View upcoming and on-demand webinars from our experts and industry leaders
PODCAST
Public Key is the cryptocurrency and compliance podcast
MARKET INTEL
Understand the cryptocurrency markets with live data
* REPORTS
The 2022 Crypto Crime Report The Chainalysis State of Web3 Report
* Customers See why organizations around the world trust Chainalysis.
* About Chainalysis Chainalysis is the blockchain data platform.
* Careers Chainalysis is growing fast, globally. Join us today.
* Chainalysis Government Solutions Partner Directory Become a Partner
* Products
* Solutions
* Services
* Insights
* Company
* Contact Us
Products
* WHY CHAINALYSIS
Turn blockchain transactions into insights and risk into compliance
* REACTOR
* KYT
* ADDRESS SCREENING
* BUSINESS DATA
* KRYPTOS
* FREE SANCTIONS SCREENING
Solutions
* COMPLIANCE
Ensure you meet evolving local and global regulations
* INVESTIGATIONS
Detect and investigate crypto crime
* DEFI
Safely participate in the DeFi revolution
* NFTS
Ensure safe access and controls for NFTs with purpose-built solutions
Services
* INVESTIGATIONS & SPECIAL PROGRAMS
Professional investigators providing forensic analysis to resolve
cybersecurity breaches and trace stolen funds
* CRYPTO INCIDENT RESPONSE
Professional expertise and investigative capabilities for recovering lost
funds in the event of a cyber incident
* TRAINING & CERTIFICATION
Crypto fundamentals and product courses
* CHAINALYSIS ACADEMY
Get started with short training courses
Insights
* BLOG
Crime Markets Policy & Regulation Crypto Basics Chainalysis in Action Company
News
* WEBINARS
* PODCAST
* MARKET INTEL
* REPORTS
Company
* CUSTOMERS
See why organizations around the world trust Chainalysis.
* ABOUT CHAINALYSIS
Chainalysis is the blockchain data platform.
* CAREERS
Chainalysis is growing fast, globally. Join us today.
* CHAINALYSIS GOVERNMENT SOLUTIONS
* PARTNER DIRECTORY
* BECOME A PARTNER
Chainalysis in Action
$30 MILLION SEIZED: HOW THE CRYPTOCURRENCY COMMUNITY IS MAKING IT DIFFICULT FOR
NORTH KOREAN HACKERS TO PROFIT
September 8, 2022
September 8, 2022 | By Erin Plante
Share
Share on Facebook Share on Twitter Email
One of the most troubling trends in crypto crime right now is the stunning rise
in funds stolen from DeFi protocols, and in particular cross-chain bridges. Much
of the value stolen from DeFi protocols can be attributed to bad actors
affiliated with North Korea, especially elite hacking units like Lazarus Group.
We estimate that so far in 2022, North Korea-linked groups have stolen
approximately $1 billion of cryptocurrency from DeFi protocols.
But today I had the privilege of joining the Axie Infinity team on stage at
AxieCon to deliver some good news: With the help of law enforcement and leading
organizations in the cryptocurrency industry, more than $30 million worth of
cryptocurrency stolen by North Korean-linked hackers has been seized. This marks
the first time ever that cryptocurrency stolen by a North Korean hacking group
has been seized, and we’re confident it won’t be the last.
These are the results thus far of our investigation following the March 2022
theft of more than $600 million from Ronin Network, a sidechain built for the
play-to-earn game Axie Infinity.
I am proud to say that the Chainalysis Crypto Incident Response team played a
role in these seizures, utilizing advanced tracing techniques to follow stolen
funds to cash out points and liaising with law enforcement and industry players
to quickly freeze funds.
The seizures represent approximately 10% of the total funds stolen from Axie
Infinity (accounting for price differences between time stolen and seized), and
demonstrate that it is becoming more difficult for bad actors to successfully
cash out their ill-gotten crypto gains. We have proven that with the right
blockchain analysis tools, world-class investigators and compliance
professionals can collaborate to stop even the most sophisticated hackers and
launderers. There is still work to be done, but this is a milestone in our
efforts to make the cryptocurrency ecosystem safer.
So, how did we do it? Here’s what we can share now.
HOW THE RONIN BRIDGE WAS HACKED & THE STOLEN FUNDS WERE LAUNDERED
The attack began when the Lazarus Group gained access to five of the nine
private keys held by transaction validators for Ronin Network’s cross-chain
bridge. They used this majority to approve two transactions, both withdrawals:
one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC). They
then initiated their laundering process – and Chainalysis began tracing the
funds. The laundering of these funds has leveraged over 12,000 different crypto
addresses to-date, which demonstrates the hackers’ highly sophisticated
laundering capabilities.
North Korea’s typical DeFi laundering technique has roughly five stages:
1. Stolen Ether sent to intermediary wallets
2. Ether mixed in batches using Tornado Cash
3. Ether swapped for bitcoin
4. Bitcoin mixed in batches
5. Bitcoin deposited to crypto-to-fiat services for cashout
Lazarus Group has replicated this process with large portions of Ronin’s stolen
funds. We can visualize it below using Chainalysis Reactor:
However, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) recently
sanctioned Tornado Cash for its role in laundering over $455 million worth of
cryptocurrency stolen from Axie Infinity. Since then, Lazarus Group has moved
away from the popular Ethereum mixer, instead leveraging DeFi services to chain
hop, or switch between several different kinds of cryptocurrencies in a single
transaction. Bridges serve an important function to move digital assets between
chains and most usage of these platforms is completely legitimate. Lazarus
appears to be using bridges in an attempt to obscure source of funds. With
Chainalysis tools these cross chain funds movements are easily traced.
We can use Chainalysis Storyline to see an example of how Lazarus Group utilized
chain-hopping to launder some of the funds stolen from Axie Infinity:
Above, we see that the hacker bridged ETH from the Ethereum blockchain to the
BNB chain and then swapped that ETH for USDD, which was then bridged to the
BitTorrent chain. Lazarus Group carried out hundreds of similar transactions
across several blockchains to launder the funds they stole from Axie Infinity,
in addition to the more conventional Tornado Cash-based laundering we covered
above.
TRANSPARENCY AND COLLABORATION ARE KEY
Cryptocurrency’s transparency is instrumental to investigating hacks like the
one suffered by Axie Infinity. Investigators with the right tools can follow the
money to understand and disrupt a cybercrime organization’s laundering
activities. This would never be possible in traditional financial channels,
where money laundering usually involves networks of shell companies and
financial institutions in jurisdictions that may not cooperate.
Even so, these seizures would not have been possible without collaboration
across the public and private sectors. Much of the funds stolen from Axie
Infinity remain unspent in cryptocurrency wallets under the hackers’ control. We
look forward to continuing to work with the cryptocurrency ecosystem to prevent
them and other illicit actors from cashing out their funds.
Axie InfinityMoney LaunderingNorth KoreaRonin Bridge
Author Erin Plante
SUBSCRIBE TO OUR WEEKLY NEWSLETTER
*
Subscribe
* SOLUTIONS
SOLUTIONS
* Compliance
* Investigations
* DeFi
* NFTs
COMPANY
* About
* Become a Chainalysis Partner
* PRODUCTS
PRODUCTS
* Chainalysis Reactor
* Chainalysis KYT
* Chainalysis Address Screening
* Chainalysis Business Data
* Chainalysis Kryptos
* Free Sanctions Screening
CAREERS
* Open Positions
* CONTACT US
CONTACT US
* Sales
* Media
* RESOURCES
RESOURCES
* Blog
* Professional Services
* Training & Certification
--------------------------------------------------------------------------------
© 2022, Chainalysis Inc.
* Privacy Policy
* Products
* Industries
* Services
* Resources
* Customers
* Company
* Contact Us
Submit
Type above and press Enter to search. Press Esc to cancel.