In late March, P2E gaming platform Axie Infinity's Ronin network fell victim to an attack that drained it of over 600 million USD. The Ronin hack has been described as the largest exploit in DeFi history. The US Treasury Department has alleged that North Korea's Lazarus hackers were behind the breach.
This is not the first time these individuals have been linked to a significant case of cyber theft. Over the past decade, the US has shelved the blame for various similar heists on the Lazarus hackers. This, of course, raises the question;
What is the Lazarus Group?
The Lazarus hackers are state actors belonging to the Democratic People's Republic of Korea. They are a cybercrime group that has pulled off a series of attacks under the direction of the North Korean government. The group has been active since 2009 and rose to fame in 2014 after compromising entertainment company Sony Pictures. They grew even more notorious two years later, in 2016, when they hit the Central Bank of Bangladesh and carted off about $81 million.
In 2021, blockchain research company Chainalysis attributed up to 1.75B worth of looted crypto so far to the actions of the cybercrime syndicate, a figure that has no doubt risen significantly since then. In 2020, the Lazarus group breached crypto exchange KuCoin and made off with virtual currency valued at $275 million, half of all the stolen crypto for that year.
Interestingly, the Lazarus hackers are reportedly not driven by money usually, a feature that sets them apart from similar groups. These state actors have stolen sensitive information and performed sabotage and various other actions to benefit the DPRK politically or economically.
Since 2006, several nations have banded together to impose sanctions on North Korea to curb its hostile nuclear ambitions and cut off funding to its weapons of mass destruction (WMD) programs. These bans have barred the exportation of various items and prevented the DPRK from importing crude oil and refined petroleum products.
However, in a UN report earlier this year, members alleged that North Korea was funding itself through multiple cyber-attacks and may have amassed up to $400m worth of crypto assets through these hacks. The UN reportedly looked into at least 35 exploits by DPRK cyber actors across 17 countries.
The Ronin exploit is the Lazarus Group's biggest heist to date. The attack on Bangladesh's Central Bank would have held this title as the hackers originally planned to make off with $1B. By a fluke, they were unsuccessful but let's take a closer look at the hack that occupies this position instead;
Details of the Ronin Exploit
Sky Mavis, as the platform's dev team, is known, confirmed via Tweet that Axie Infinity's Ronin blockchain had experienced a security breach on the 23rd of March. The Ronin bridge allows for cross-chain interoperability on the platform.
Gamers can deposit currencies such as ETH or stablecoin USDC in exchange for NFT items on the in-game currency. Additionally, it facilitates the sale of in-game assets letting users withdraw funds. Shortly after the exploit, the developers halted all transactions on the network. The hackers had made off with 173,600 Ethereum (roughly $600 million) and 25.5 million USDC, altogether scaling $625 million.
According to an official release from the team, the attackers utilized compromised private keys that gave them access to the network's validator nodes. The Ronin blockchain comprises nine validator nodes; to complete a transaction (deposit or withdrawal), 5 of these need to give their approval. The hackers had gained control of 4 of the network's validators and a 3rd-party validator signature managed by the Axie DAO.
The malicious actors forged fake withdrawals with the compromised private keys and pulled off the biggest hack the crypto space has seen thus far.
How Ronin Network was Compromised
It is worthy of note that the Axie Infinity developers did not discover the attack until March 29, 6 days after it had occurred. One of the platform's users had attempted to withdraw 5k Ethereum from the network; however, they were unable to and thus filed a report to the team.
According to Sky Mavis' release, the starting point of the attack was from November 2021. The team needed the Axie DAO's assistance in distributing free transactions following a massive influx of users. The DAO permitted (allowlisted) Sky Mavis to sign off on a slew of transactions in its stead.
This was no longer necessary by the end of the year; however, the team never cut off the allowlist access. With the platform's gas-free RPC, the attacker found a backdoor to the system and the DAO validator signature. Following this, they proceeded to drain the platform of over $600M.
How did Sky Mavis Respond?
The attack came to the dev team's attention six days after it. However, Sky Mavis took swift steps to mitigate the damage once they became aware. Let's take a look at some of those steps;
To guard against future exploits, one of the first moves the Axie Infinity team made was increasing the validator threshold. Various individuals who weighed in on the matter questioned why the team had set it at 5 in the first place. After raising the number to 9, Sky Mavis clarified that the initial decision was because some nodes hadn't caught up with the chain or were stuck in the syncing process.
They have shared plans to widen the validator set as time goes on. In addition to this, Sky Mavis began migrating the nodes to a whole new framework. The team also temporarily shut down the Ronin bridge; in their report, Sky Mavis noted that they would reopen it once they were positive the attackers could no longer steal funds.
Furthermore, to be on the safe side, crypto exchange platform Binance cut its connection to the Ronin network. Sky Mavis contacted security teams at top exchanges and enlisted Chainalysis to track down the stolen crypto.
The team stated they were working with law enforcement officials and assured affected users they would be reimbursed whether or not the funds were recovered.
How the FBI Tied the Lazarus Hackers to the Ronin Exploit
Two weeks ago, working alongside the FBI, the US Department of Treasury placed sanctions on three wallet addresses tied to the state-backed Lazarus Group and APT38. Following this, blockchain data firm Chainalysis noted that one of the sanctioned addresses had ties to the original wallet used in the attack.
These wallets had received significant portions of the stolen funds, which security teams had tracked following the exploit. Investigations are still underway; according to Elliptic, the hackers have laundered about 18% of the stolen funds, while $9.7 million of the funds remain in intermediary wallets ahead of laundering. Conclusion
Following the hack, it came to public attention that the P2E gaming platform Axie Infinity has been experiencing a massive outflow of users. Some have attributed the loss to the recent exploit; however, data shows that even before then, the platform's daily active users (DAU) had taken a nosedive from 8 million to a paltry 1 in comparison.
While the hack may not be the primary factor, it undeniably has played a role since then. Axie Infinity will likely see more users exit as trust in the platform declines. However, Sky Mavis has assured users of reimbursem*nt, and a funding round involving investors Binance, Animoca Brands, Paradigm and others has raised $150 million.
Binance CEO Changpeng "CZ" also shared in a tweet that the exchange had recovered $5.8 million worth of funds that the hacker's wallet address had sent. In coordination with the Department of Treasury and various government institutions, the FBI has expressed its intentions to continue combating the DPRK's illicit methods, cybercrime, etc.
Author: Gate.io Observer M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
