“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th,” the FBI said in a statement. “DPRK” is an abbreviation for North Korea’s official name, the Democratic People’s Republic of Korea, and Ethereum is a technology platform associated with a type of cryptocurrency.
The FBI was referring to the recent hack of a computer network used by Axie Infinity, a video game that allows players to earn cryptocurrency. Sky Mavis, the company that created Axie Infinity, announced on March 29 that unidentified hackers had stolen the equivalent of roughly $600 million — valued at the time of the hack’s discovery — on March 23 from a “bridge,” or network that allows users to send cryptocurrency from one blockchain to another.
The US Treasury Department on Thursday sanctioned Lazarus Group, a wide swath of hackers believed to work on behalf of the North Korean government. Treasury sanctioned the specific “wallet,” or cryptocurrency address, that was used to cash out on the Axie Infinity hack.
Cyberattacks have been an important source of revenue for the North Korean regime for years as its leader, Kim Jong Un, has continued to pursue nuclear weapons, according to a United Nations panel and outside cybersecurity experts.
North Korea last month fired what is believed to be its first intercontinental ballistic missile in more than four years.
Lazarus Group has stolen an estimated $1.75 billion worth of cryptocurrency in recent years, according to Chainalysis, a firm that tracks digital currency transactions.
“A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea’s destabilizing activity and weapons proliferation,” said Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime. “As long as they are successful and profitable, they will not stop.”
While many cybersecurity analysts’ attention has been on Russian hacking in light of the war in Ukraine, suspected North Korean hackers have been far from quiet.
Researchers at Google last month disclosed two different alleged North Korean hacking campaigns targeting US media and IT organizations, and cryptocurrency and financial technology sectors.
Google has a policy of notifying users who are targeted by state-sponsored hackers.
Shane Huntley, who leads Google’s Threat Analysis Group, said that if a Google user has “any link to being involved in Bitcoin or cryptocurrency” and they get a warning about state-backed hacking from Google, it almost always ends up being North Korean activity.
“It seems to be an ongoing strategy for them to supplement and make money through this activity,” Huntley told CNN.