The United States has linked North Korean hackers to the theft of hundreds of millions of dollars’ worth of cryptocurrency tied to the popular online game Axie Infinity, the U.S. Treasury Department said on Thursday.
Ronin, a blockchain network that lets users transfer crypto in and out of the game, said digital cash worth almost $615 million was stolen on March 23.
The North Korean hacker group Lazarus is behind the theft of $250 million in cryptocurrency from South Korean exchanges Bithumb and Youbit in 2017, as well as $571 million from Japanese exchange Coincheck in 2018, the department said in a statement.
Lazarus is also responsible for the WannaCry ransomware attack that affected more than 230,000 computers in 150 countries in 2017, the Treasury Department said.
“Treasury is taking action against North Korean hacking activity that targets Americans and their financial information,” Treasury Secretary Steven Mnuchin said in the statement.
“We will continue to enforce existing sanctions and seek new authorities to bring additional financial pressure to bear on North Korea by identifying and sanctioning individuals and entities that support this activity.”
The United States has previously sanctioned Lazarus for its role in the WannaCry attack and for other malicious cyber activity.
In a new report, security firmFireEye says that it has uncovered evidence linking Lazarus to a string of attacks on cryptocurrency exchanges in South Korea and elsewhere. The thefts began in early 2017 and continued through 2018. In total, FireEye estimates that Lazarus has stolen more than $571 million worth of cryptocurrency.
The group appears to be targeting exchanges in order to cash in on the booming value of digital currencies. Bitcoin, for example, surged from around $1,000 at the start of 2017 to nearly $20,000 by the end of the year.
While the Lazarus group has been active for years, FireEye’s report is one of the first to definitively link it to cryptocurrency theft. The firm says that the group is using many of the same tools and techniques that it has employed in previous attacks.
“This activity represents a continued and sustained interest in and effort towards stealing virtual currency,” FireEye concludes.
The news comes as North Korea is facing increasing pressure over its nuclear and missile programs. The United States has imposed strict economic sanctions on the country in an attempt to force it to denuclearize.
It is not clear how North Korea is able to convert stolen cryptocurrency into cash, but the country is believed to have a sophisticated network of financial institutions and front companies that help it circumvent sanctions.
Crypto as Government Funds?
The CISA report also highlights how North Korea has been able to use these thefts to generate much-needed cash for the regime, despite international sanctions that have cut off its traditional sources of revenue.
“North Korea’s interest in cryptocurrency remains persistent despite the UNSC’s ban on exports of coal, iron, lead and seafood in August 2017,” the CISA report said.
“Cryptocurrency can be used to purchase goods outside of North Korea, which circumvents sanctions and allows for continued funding of the regime.”
The CISA report is likely to add to the mounting pressure on cryptocurrency exchanges to beef up their security measures, particularly when it comes to protecting themselves against phishing attacks.
In its public service announcement, the FBI warned that North Korean hackers were using “spear-phishing” emails that appeared to come from legitimate sources in order to gain access to exchange employees’ accounts.
The CISA report also recommends that exchanges take steps to “harden” their systems against malware attacks, such as the ones used by the Lazarus Group.