The notorious Lazarus group, a known North Korean state-sponsored threat actor, seems to have been behind the recent major Ronin network breach, the FBI has said.
Ronin network, a cryptocurrency bridge developed by the same company behind the hugely popular blockchain-based game, Axie Infinity, was attacked in late March 2022, with the attackers getting away with $625 million in various cryptocurrencies.
Now, according to Vice, the FBI and the US Treasury Department (USDT) have pinned this attack it on Lazarus, having updated its file on the attack with a wallet that had received the stolen funds, which it says belong to the group.
Fixing the bridge
The makers of the Ronin network, on the other hand, said it would take a little more time before they’d be able to bring the product back online.
“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” the company wrote in a blog post. “We expect to deliver a full post mortem that will detail security measures put in place and next steps by the end of the month.”
The bridge is expected to resume operations “by the end of the month”.
The wallet flagged by USDT currently holds 148,000 ETH, which is more than $447 million at press time. The wallet’s owners sent 3,302.6 ETH, or approximately $10 million, to another address, earlier this week. The wallet’s details can also be found on the blockchain explorer Etherscan, where it’s been labeled as “involved in a hack targeting the Ronin bridge”.
The hack saw 173,600 ether (the native currency of the Ethereum blockchain) and 25.5 million USD Coin stolen, totalling $625 million in value. Some commentators have suggested this may be the largest single heist in crypto history.
Given the blockchain’s transparent nature, the Ronin Network was able to quickly establish that the funds were taken from its endpoints on March 23. However, only after a user reported being unable to withdraw 5,000 ether did the team notice the breach.
An investigation revealed the attacker had used hacked private keys to forge fake withdrawals, the organization explained. It would seem that no viruses were used in the attack.