U.S. Law Enforcement, Chainalysis Collaborate to Recover $30 million in Stolen Cryptocurrency

Bank building icon form lines, triangles and particle style design. Illustration vector

North Korea-linked cyber syndicates have stolen approximately $1 billion of cryptocurrency from DeFi (decentralized finance) protocols this year. But U.S. law enforcement recently seized $30 million back, marking the first time digital currency stolen by North Korean operatives has been recovered.

Note: DeFi refers to peer-to-peer financial services that take place on blockchains. DeFi allows users to take advantage of traditional banking services, such as borrowing, trading and lending, with increased anonymity and speed. (via Chainalysis)

$600 Million in Crypto Stolen

In a recent operation, the seized funds amounted to about 10 percent (accounting for price differences between time stolen and seized) of the more than $600 million in stolen cryptocurrency pilfered last March from Ronin Network, a sidechain built for the pay-to-play game Axie Infinity. Chainalysis and other organizations worked alongside law enforcement in the public/private action.

As Chainalysis senior director of investigations Erin Plante wrote in a blog post:

“This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last. We have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers. There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer."

Lazarus Group Hits Axie Infinity Game

Lazarus Group, a cybercrime organization associated with the North Korean government, has been fingered as the operatives that lifted the funds from players of the Axie Infinity game. According to Chainanalysis, Lazarus gained access to five of the nine private keys held by “transaction validators for Ronin Network’s cross-chain bridge,” Plante wrote. They used this to approve two transactions, both withdrawals: one for 173,600 ether and the other for 25.5 million USD Coin. They then initiated their laundering process. At that point, Chainalysis began tracing the funds.

Chainalysis called the laundering process “highly sophisticated,” in that the hackers have leveraged more than 12,000 different crypto addresses to date.

Plante explains that disrupting a cybercrime is plausible:

“Investigators with the right tools can follow the money to understand and disrupt a cybercrime organization’s laundering activities. This would never be possible in traditional financial channels, where money laundering usually involves networks of shell companies and financial institutions in jurisdictions that may not cooperate.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.