Lazarus Group Behind $540 Million Ronin Hack

Reading Time: 2 minutes
  • North Korean hackers Lazarus were behind the recent Ronin Network hack
  • The FBI has fingered the prolific hackers for the $540 million hack
  • The validator nodes were likely socially engineered

The North Korean hacking group Lazarus was behind the $540 million hack on the Ronin bridge, according to the FBI. The Ethereum address to which the stolen ETH was sent was yesterday added to the US Treasury’s Office of Foreign Assets Control (OFAC) blacklist, with blockchain analytics firms Chainalysis and Elliptic confirming that Lazarus was once more behind the hack. The group has been involved in several cryptocurrency hacks in the last few years, with confirmation coming earlier this year that its ballistic weapons program has been directly funded by Lazarus’ crypto crimes.

Lazarus Bypassed Ronin Validation

Sky Mavis’ Ronin network bridge was breached on March 23 when 173,600 ETH and 25.5 million USDC were stolen, although the theft wasn’t discovered until six days later. The total value of the stolen coins at the time of the theft was $540 million, making it the second largest crypto theft of all time.

Sky Mavis said in a postmortem that Lazarus hackers managed to acquire the private keys of five of the nine Ronin validators of the Ronin Bridge which they used to bypass the validation process and steal the funds. Imagine nine people guarding a literal bridge, each with a separate key, and you need at least five of the nine keys to cross the bridge. Lazarus hackers managed to steal those five keys and let themselves across.

Sky Mavis added that “all evidence points to this attack being socially engineered, rather than a technical flaw”, proving that human beings are, once again, the point of weakness in a system and reinforcing the power in Satoshi Nakamoto’s design of Bitcoin over other more insecure blockchains.

Tornado Cash Used to Launder Funds

Elliptic yesterday issued an update on how Lazarus is washing its money, with centralized exchanges clubbing together to block all addresses associated with the hack. This has led the group to use Ethereum-based mixer Tornado Cash to launder most of it:

ronin money laundering

Elliptic also called it “somewhat unsurprising” that Lazarus has been fingered as the group responsible for the attack, with many features mirroring the group’s modus operandi, including the location of the victim (Sky Mavis is a Vietnamese company, and Lazarus typically targets Asia), the attack method (social engineering of some sort), and the laundering pattern utilized by the group after the event.