Proudly sponsored by

Hackers in $620m crypto heist desperate to cash out

North Korean bandits could end up with nothing as law enforcement officials work with players across the crypto space to intercept the loot.
Axie Infinity is an NFT-based online video game known for its in-game economy which uses Ethereum-based cryptos. Image: AdobeStock

On March 23, hackers siphoned $540 million worth of Ether (ETH) and USD Coin (USDC) from the popular non-fungible token (NFT) based game Axie Infinity to a digital wallet. By the time the exploit was publicly announced, the value of the crypto assets had risen to $620 million.

Not only had the North Korean hackers pulled off a brazen heist, but the value of the loot had increased 15% while they twiddled their thumbs.

Things have moved at a rapid pace since then, and these bandits may end up with nothing as law enforcement officials start to work with players at every level in the crypto space to intercept this loot.

The hack was termed the Ronin Bridge Exploit because it targeted the bridge that connected the Axie Infinity blockchain to the Ethereum blockchain.

Bridge hacks have plagued the cryptosphere lately, claiming over $1 billion in stolen funds in the last year alone.


Stealing crypto is not the same as stealing cash

Stealing crypto is not like stealing fiat money. Whereas the proverbial bank robber can launder the loot to buy a yacht, crypto thieves hit a dead-end when it’s time to cash out.

Every blockchain transaction is traceable to a wallet address and is publicly searchable on platforms such as Etherscan.

On April 14, the FBI named North Korea’s Lazarus Group as the hackers behind the Ronin Bridge Exploit. On the same day, the US Treasury’s Office of Foreign Assets Control (OFAC) put Lazarus Group, including its wallet address, on its Specially Designated Nationals sanctions list.

According to a blog post by cryptocurrency compliance firm Elliptic, such sanctions “prohibit US persons and entities from transacting with this address to ensure the state-sponsored group can’t cash out any further funds they continue to hold onto through US-based crypto exchanges”.

Mixing it up

To embezzle crypto funds, scammers typically use something called a mixer which is a decentralised protocol (collection of smart contracts) that lets users send crypto – both dirty and clean – to the mixer. The dirty crypto gets mixed with the clean crypto, thereby obfuscating where the outgoing crypto originally came from.

Think of it like scrambling eggs. You throw six large eggs in and get a mix of egg coming out. There’s no way to tell which egg you’re eating in the end.

One of the most popular mixers is Tornado Cash, which has no owners and no administrators. It also lets people withdraw crypto from a completely different address than the one they used when they deposited it.

The exploiters’ wallet movements

On March 28, five days after the hack but one day before it was announced, money started to move out of the Ronin Bridge Exploiter’s wallet. There were three outbound transactions of 500 ETH ($167 145), the first at 14:30 UTC (Coordinated Universal Time) and the last at 14:36 UTC. This was followed by a 750 ETH transaction six hours later, and another two 750 ETH transactions in the following three hours. Slow and steady.

The outbound transactions were sent to different wallet addresses. Some of those addresses have since been labelled Ronin Bridge Exploiter 2, Ronin Bridge Exploiter 3 and so on.

From those addresses, the funds were initially transferred to centralised cryptocurrency exchanges (CEXes) such as Huobi and FTX.

On March 29, the hackers dipped their toes a bit deeper and withdrew two amounts of 1 250 ETH, the last one at 02:37 UTC.

On the same day, the Ronin Network announced that it had been compromised.

The wallet went quiet for six days.

Where the money went

When the CEXes announced that they would work with law enforcement to establish the hackers’ identity, the hackers’ strategy shifted, Elliptic reported.

On April 4, money started to move again, first to an intermediate address, but then to the Tornado Cash anonymiser (which allows you to hide your identity) instead of the CEXes.

The first transaction was 1 000 ETH. Several days later, outbound transactions of slightly over 3 000 ETH, but no higher, started occurring.

Every Tornado deposit from the intermediate addresses was no higher than 100 ETH — small eggs for the scrambled egg mix.

A convergence of catastrophes for the hackers

That cap of 3 000 ETH was obliterated on April 18 when the hackers transferred over 10 000 ETH out, worth almost $31 million at the time.

Two weeks earlier, that 10 000 ETH had been worth $5 million more.

Several factors converge here to paint a picture of what can only be described as desperation, or a sense of urgency, on the part of the hackers:

  • First, the outing of Lazarus Group on April 14 and the resultant sanctions that CEXes must abide by.
  • Second, on April 15, Tornado Cash announced in a tweet that it would also “block OFAC sanctioned addresses” from accessing Tornado.
  • And third: ETH’s price had fallen by $500.

The hackers gave up their drip strategy and opted for a Niagara Falls approach to emptying the wallet. On April 19, one transaction removed over 18 000 ETH, worth $56 million at the time. Today, that amount of ETH barely scrapes past $31 million.

This was followed by a spate of even more massive withdrawals: 21 000 ETH on April 21, and 33 000 ETH on April 24 which, at the time, was worth nearly $100 million.

A month earlier, it had been worth $118 million. Today, it’s worth less than half of that at $58 million.

The wallet now has only 1.7 ETH left in it.

Although ETH’s freefall wouldn’t begin until May 7, the wallet’s value on April 16 was already $57 million weaker than at the start of April.

Today, the entire heist would be worth only $319 million, compared to the $620 million reported on March 29.

The crypto is gone from the original wallet but the basic problem remains – how to turn that into hard cash. Even though the initial stash has been distributed across dozens of new addresses, the chances of remaining entirely hidden on a completely transparent protocol that is actively monitored are unlikely, especially if the hackers want to do it in a hurry.

R Paulo Delgado is a crypto writer with an eye for the bizarre and the human stories behind the always fascinating leaps and stumbles of this new asset class.


You must be signed in and an Insider Gold subscriber to comment.



Bitcoin Cash


Instrument Details  

You do not have any portfolios, please create one here.
You do not have an alert portfolio, please create one here.

Follow us: