North Korea’s ‘Lazarus’ Hacker Group and the $625M Ronin Network DeFi Exploit

Pundit Offers Ingenious Solutions To The Problems Plaguing Axie Infinity's Economy

U.S. officials have accused North Korea’s state-backed hacking collective ‘Lazarus Group’ of the unprecedented theft of $625 million in March from Ronin Network, the host of Axie Infinity.

According to an announcement on Thursday, the Treasury Department’s Office Of Foreign Assets Control issued new sanctions against an Ethereum wallet that allegedly belongs to the notorious hacker group. The move to sanction the said wallet was triggered after the hacker transferred about 18% of the loot to other wallets before sending it in batches to Tornado Cash last as seen on Etherscan.

Further, crypto research firm Chainalysis identified the said wallet address as receiving 13,600 ETH and 25.5 million USDC from the Ronin smart contract during the attack.

Updates to OFAC’s SDN designation for Lazarus Group confirm that the North Korean cybercriminal group was behind the March hack of Ronin Bridge, in which over $600 million worth of ETH and USDC was stolen.” Chainalysis tweeted on Thursday following the sanctions.

Tornado Cash is a fully decentralized non-custodial protocol that has become notorious for its great preference by criminals. The protocol allows private transactions by using smart contracts that accept token deposits from one address enabling their withdrawal from a different address. Apart from those contracts working as pools that mix all deposited assets, once the funds are withdrawn by a completely new address from those pools, the on-chain link between the source & the destination is broken making it extremely hard to track the lost funds.


As per a blog post by blockchain analytics firm Elliptic, the said sanctions prohibit U.S. entities from making transactions with the red-listed Ethereum account to block the exploiters from cashing out the stolen funds from any US-listed crypto exchange.

Following the U.S. sanctions, coin mixer Tornado cash said on Friday that it had added a tool developed by Chainalysis to automatically track and block crypto wallets falling under the U.S. Office of Foreign Assets Control (OFAC) sanction list.

C:\Users\Newton\Pictures\ALL\Screenshots\Screenshot (1024).png

The said move may, however, not achieve much according to Roman Semenov, one of the protocol’s founders. To him, although all transactions to Tornado Cash are recorded publicly and can be tracked on a block explorer, ”the smart contracts are immutable” meaning that it is technically impossible to enforce sanctions against the protocol.

The Ronin exploit has been one of the largest so far eclipsing that of Polynetwork in 2021 where $600 million worth of tokens was stolen(but later returned). Attacks on blockchain bridges by groups such as Lazarus have been on the rise over the past two years as blockchain networks become more interoperable. The North Korean group has also been linked to several other cyberattacks most of which demand a ransom in cryptocurrency.