Lazarus Group and the Axie Infinity hack.
A deep dive into how the largest crypto attack to date took place.
In April 2022 173,000 Ethereum and $25m in the USD Coin stablecoin were stolen from the Ronin bridge, part of the Axie Infinity in-game economy.
We take a detailed look at how the attack unfolded, the North Korean attackers known as the Lazarus group behind it, where the stolen funds are now and how this may be the first example of a sanctioned CryptoKitty NFT.
Axie Infinity and the Ronin bridge
Axie Infinity is a Non-Fungible Token (NFT) based game launched in 2018. Players mint or collect axolotl-style digital pets known as Axies, which are then bred or battled against other players.
It has been a massive hit in the cryptocurrency world, with its developers Philippines based Sky Maven valued at over $3bn. The game was seen as the poster child for the ‘play to earn’ concept, where players get paid for playing the game.
One of the game's key features is having an in-game economy, based on Ethereum. This allowed players to rent their Axies to others, taking a percentage of their winnings as tradable tokens, as well as being able to buy and sell a range of other token-based items. An in-game economy isn’t much use without a means to link it to the real economy. This is achieved by the Ronin Fiat onramp and the Ronin bridge.
The Axie system connects to the fiat currency world via the Ronin Fiat onramp, which allows the purchase of Ronin tokens (RON). It works in one direction - taking fiat into the Axie Ronin Blockchain. If you want to move Ethereum into RON or to extract your earnings from Axie, the Ronin bridge is then your mechanism.
All blockchains develop in separate environments with their own purpose and rules, they can’t, therefore, communicate directly. Bridges are a key part of blockchain interoperability, connecting these separate ecosystems together. A bridge is at its simplest two smart contracts, one on each network they connect. When a token is sent into one smart contract it is frozen there, preventing it from being spent on that blockchain. The corresponding contract creates another token in its native form and deposits it into a user's wallet. This is similar to chips in a Casino - you exchange cash for the casino's tokens.
The bridge smart contract contained a large number of Ethereum that had been exchanged for RON. This presented an opportunity for an attacker, to transfer the Ethereum and other token based assets out.
The attack
The attack began with a compromise of specific validator systems used by the Ronin network. Axie reported that the attack was socially engineered, rather than a technical flaw. This could be a range of possibilities, from so called spear phishing emails to a user being tricked into providing access.
Underpinning the Ethereum network are validators, who perform a similar role to miners in a proof-of-work blockchain like Bitcoin. There are thousands of these across the Ethereum network. Blockchains based on Ethereum also have their own validators, in the case of the Ronin network, there were nine.
To exert control over a Blockchain you can conduct what is called a 51% attack. If you control 51% of the validators available on a network, you control the consensus and you control what transactions are validated. This is likely what occurred at Axie with the attackers issuing forged transactions to the Ronin bridge, and validating them using the five validator nodes they controlled.
The attackers at this point withdrew the 173,600 ETH and 25.5m in USD Coin (USDC) that was ‘frozen’ inside the Ronin bridge smart contract out into the Ethereum network.
Not all of the attacks on the validator nodes were identical. The attackers compromised the private keys of four nodes and attacked a specific feature of the fifth decentralised node.
Several underlying issues allowed the attack to succeed. A small set of validators makes a 51% attack easier to conduct. The level of centralisation in the decentralised system, due to it’s small scale worked against the network. It’s a pure numbers game, less validators in total, less to get to the 51% required.
It is reported that several of the validator nodes were operated by the same entity, in the same region of the world. This would have made it much easier for the attackers, who only need to compromise that entity and its systems.
A further issue that allowed the attack to succeed was the lack of a mechanism for detecting large outflows of funds within the Ronin bridge contract.
The attackers
The attack has been linked to the Lazarus group, well-known in cyber security circles, essentially as an alias for North Korean . The group name has become synonymous with financially motivated attacks such as the WannaCry ransomware in 2017.
On the 14th of April the main Ethereum address which received stolen funds was added to the OFAC sanctions list. This essentially attributed the attack directly to the group.
North Korea is one of the world's poorest countries. It is a pariah state, isolated from the outside world. To have developed a technically sophisticated hacking group, responsible for some of the largest attacks worldwide, speaks to the necessity of financial cybercrime as a means to generate funds.
The group is linked to elements of the North Korean government’s Reconnaissance General Bureau. The Cyber Threat Intelligence community tracks several overlapping groups within North Korea, focusing on financial crime, espionage and disruptive attacks. Members of the group have been indicted in the United States.
Lazarus group activities started in earnest in 2014 after sanctions were imposed on the country in March 2013. These prevented bulk cash transfers and restricted access to international financial networks. Since then the group has been linked to the 2016 attack on the Bangladeshi Bank and many other financially motivated attacks including against cryptocurrency exchanges.
The sanctions linked to the Axie attack claim that the attackers are based in the Potonggang District, of the North Korean capital Pyongyang. This is a possibility, but previously DPRK attackers have been located in China where Internet infrastructure is more advanced.
Following the money
The first payment from the attack occurred on the 23rd of April around 13:30 GMT moving 173,60 of ETH to the attackers address. In the 10 minutes from 13:54, $25.5m of USD Coin was moved from that address.
Over the few week, mainly between the hours of 07:00 GMT and 19:00 GMT the attackers moved funds from the attack. This included what seems like a slow-down during what could be usual lunch time hours, indicating a group where this is professional job.
The attackers centralised their takings into Ethereum. The USDC was likely swapped for ETH, via Uniswap and the 1inch DeFi network generating another 8,562 ETH.
The attacker moved over 100,000 ETH to five addresses, three of which are now sanctioned. The public nature of the Ethereum blockchain and the attention the attack had gained meant that the movement of funds was soon reported on social media. Binance reported that is had taken action against 86 accounts, freezing $5.6m of funds.
The sanctioned addresses moved just over 50,000 ETH at the time of writing, and another 58,695 ETH is held at two addresses that are not yet sanctioned, which may also have been intended for TornadoCash.
Approximately 63,000 ETH, or over $180m was sent to the TornadoCash mixing service. There doesn’t currently seem to be These transfers seemed to use relays, and were made in 100 ETH increments to preserve their anonymity.
TornadoCash has now banned the Lazarus group from using its services via its frontend, as it prevents access from the addresses on the OFAC sanctions list. This is pragmatic, mixing services that did not follow US sanctions have previously been targeted for enforcement action. How effective this will be remains to be seen.
A third route for the funds was in transfers of 500 ETH and 600 ETH, with a repeated pattern of 1,250 ETH (or $36k) which were then broken up further into chunks of 50 ETH or roughly $13000, before being sent to the Huobi exchange. A single transfer made its way with the same pattern to the FTX exchange.
The attackers also seem to own a small number of NFTs including a CryptoKitty and various other token-based items.
This possibly makes CryptoKitties #1999952 the first to be effectively sanctioned, as NFTs are now essentially property. These NFTs may have been ‘gifted’ as transfers to the attacker without the attackers knowledge, and were not likely bought.
The future
The sanctions against the Ethereum addresses prohibit US persons and entities from transacting with the addresses to ensure the state-sponsored group can’t transact any further funds they continue to hold onto through US-based crypto exchanges.
Several addresses that received and still hold funds are not sanctioned. There is the potential for these to be sanctioned directly in the coming weeks.
It is likely that the remaining funds will move, potentially via other mixing services or into more opaque currencies. The WannaCry ransomware, also linked to the Lazarus group used Monero previously.
This attack represents an existential issue for Axie, as their RON tokens are now effectively unbacked by ETH or other currency. This could lead to a devaluation of the tokens inside the game, and recent fundraising to reimburse players is likely in part to support the value of the in-game economy as well as to get players back on their feet.
If you enjoyed this post the please share it! Alternatively subscribe for a weekly review of the latest developments in crypto fraud, and sporadic deep dives into major stories like this one.