Treasury Updates Lazarus Group Sanctions With Digital Currency Address Linked To Ronin Bridge Hack

Written by Joe Warminsky

The US Treasury Department on Thursday extended its sanctions against North Korean state-backed hackers known as the Lazarus Group with information that links the group to a recent high-profile cryptocurrency theft.

The department’s Office of Foreign Assets Control (OFAC) said the sanctions are part of the Biden administration’s “persistently committed vision” to deal with North Korea’s financially motivated hacking. The OFAC designations included a digital currency address that cryptocurrency tracking firm Chainalysis linked to the March hack of Ronin Bridge, which connects the Axie Infinity video game to the Ethereum blockchain.

During the attack, the address cited by the Treasury received 173,600 coins in Ethereum and 25.5 million in USDC, a digital coin tied to the US dollar – approximately $600 million in total digital assets, Chainlaysis said in a Twitter thread.

The Treasury announcement does not name any individuals, but the Lazarus Group and associated hacking teams have been linked to the Reconnaissance General Bureau (RGB), the main intelligence agency of the regime known as the Democratic People’s Republic of Korea. North (DPRK). The US government blamed the group for hacking Sony Pictures in 2014 and launching WannaCry 2.0 ransomware in 2017.

According to cybersecurity researchers and government officials, the main objective of the Lazarus Group is to support the country’s illicit weapons and missile programs. International sanctions intended to punish Pyongyang’s development of nuclear weapons have left the communist country isolated from the global economy.

Cybersecurity researchers and financial security experts have warned in recent years that the Lazarus Group is making inroads in the cryptocurrency industry. Some projects were designed for theft, others aimed to gather more information about the people running the industry.

The Ronin Bridge attack disrupted a popular decentralized finance (DeFi) system that allowed Axie Infinity players to acquire and trade in-game digital assets.

“The attribution of the Ronin hack to the Lazarus Group underscores two industry needs that Chainalysis has previously highlighted: understanding how DPRK-affiliated threat actors mine crypto and better security for DeFi protocols,” said Chainalysis.

The Treasury said that the US Cyber ​​Command and the Cybersecurity and Infrastructure Security Agency “have in recent months worked in tandem to release samples of malware to the private cybersecurity industry, several of which have subsequently been attributed to North Korean cyber actors, as part of an ongoing effort to protect the U.S. financial system and other critical infrastructure as well as to have the greatest impact on improving global security.

The Treasury first sanctioned the Lazarus group in 2019. The department’s actions refer to two Lazarus subgroups known to cybersecurity researchers as Bluenoroff and Andariel.

Sylvia B. Polson