More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized.
"The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains," Erin Plante, senior director of investigations at Chainalysis, said.
The development arrives more than five months after the crypto hack resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH worth about $594 million at the time and $25.5 million in USDC stablecoin, making it the biggest cryptocurrency theft to date.
Although Tornado Cash has emerged as a popular tool for anonymizing virtual currency transactions, its abuse by malicious actors such as the Lazarus Group to cash out the illicitly obtained assets has landed it in the crosshairs of the U.S. government, which imposed sanctions against the service last month.
The blockchain analytics firm said that the blocklisting forced the adversary to move away from the mixer in favor of DeFi services such as crypto bridges to chain hop and move digital assets between chains in a bid to obscure the trail of funds.
"The hacker bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged to the BitTorrent chain," Plante said, detailing the switch between several different kinds of cryptocurrencies in a single transaction to launder the stolen funds.
The Lazarus Group is a prolific advanced persistent threat (APT) that's driven by efforts to support North Korea's operational goals, which comprises espionage and generating revenue for the sanctions-hit nation by striking financial institutions. Most of the cyber operations are conducted by elements within the Reconnaissance General Bureau.
The seizure also comes as six users of Tornado Cash, including Coinbase employees, filed a lawsuit this week against the U.S. Treasury Department, Treasury Secretary Janet Yellen, and other officials over their decision to slap sanctions on the platform.
The crypto recovery is also indicative of the headway U.S. authorities have made in their ability to track and seize illicit cryptocurrency funds from various cybercrimes. In late July, the Justice Department announced the seizure of $500,000 worth of Bitcoin from a North Korean hacking crew which extorted digital payments from healthcare facilities by using a new ransomware strain known as Maui.