$30 Million Recovered From Ronin Bridge Hack

Reading Time: 2 minutes
  • More than $30 million worth of cryptocurrencies stolen in the Ronin Bridge hack have been recovered
  • Chainalysis revealed yesterday at Axie Con how it was able to trace and recover the funds
  • This represents the first time Lazarus has been compromised in this way

$30 million has been recovered from the North Korean hackers who hacked the Ronin Bridge back in March. $540 million in cryptocurrencies was stolen by The Lazarus group, and while $30 million represents only a little over five percent of the haul, the principle is important – this is the first time any crypto has been recovered from a North Korean hacking group, a breakthrough that could be the first step on a very important road.

Chainalysis Revealed Seizure at Axie Con

News of the $30 million retrieval was broken yesterday at Axie Con by Erin Plante, Senior Director of Investigations at Chainalysis, alongside the Axie Infinity team. Plante explained how Chainalysis had worked with Axie and law enforcement to trace the funds and seize more than $30 million worth. In a write up published yesterday, Plante said the development “marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last.”

Plante revealed that Lazarus gained access to five of the nine private keys held by Ronin transaction validators for the platform’s cross-chain bridge. They used these keys to approve two withdrawals – one for 173,600 ETH and and one for 25.5 million USDC. Chainalysis found that the laundering of these funds has leveraged over 12,000 different cryptocurrency addresses, demonstrating the hackers’ highly sophisticated laundering capabilities.

Lazarus’ Five-step Process

Plante revealed that The Lazarus Group’s laundering process typically has five stages:

  1. Stolen ETH sent to intermediary wallets
  2. ETH mixed in batches using Tornado Cash
  3. ETH swapped for bitcoin
  4. Bitcoin mixed in batches
  5. Bitcoin deposited to crypto-to-fiat services for cashout

Since OFAC’s ban on Tornado Cash, Lazarus has now pivoted to leveraging DeFi services to “chain hop”, switching between several different kinds of cryptocurrencies in a single transaction. Ironically in this case, Lazarus uses bridges to move digital assets between chains, although Plante said Chainalysis can easily trace these.

In this case, Lazarus bridged ETH from the Ethereum blockchain to the BNB chain and then swapped that ETH for USDD, which was then bridged over to the Bittorrent chain. The hacking group carried out hundreds of similar transactions across multiple blockchains to launder the funds they stole from Axie Infinity, in addition to the more conventional Tornado Cash-based prior to its banning.

With Chainlaysis now able to prove it can match such sophisticated hacking techniques, it remains to be seen how this cat and mouse game will play out when the next inevitable hack occurs.

Share