The address of the Ronin attacker who stole $620 million was included in the sanctions list by the US Treasury Department. North Korean hacker group may be the mastermind behind it

A sanctions list released by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Thursday showed that the North Korean hacker group Lazarus and The $620 million Ronin hack is related to the...

The Ethereum address 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 was added to the sanctions list, and the wallet tracker Nansen marked the address as "Ronin Bridge Exploiter", used by Ronin hackers, and currently holds nearly 148,000 ETH.

Sources said Thursday’s action was the first time OFAC had added a crypto wallet suspected of being held by Lazarus to its sanctions blacklist.

Sky Mavis has acknowledged the connection in its blog post about the Ronin vulnerability: "Today, the FBI attributed the North Korea-based Lazarus Group to the Ronin Validator security breach. The U.S. government, specifically the Treasury Department, has sanctioned the addresses that received the stolen funds." Sky Mavis is still adding additional security measures to mitigate future risks, with the goal of deploying Ronin Bridge by the end of the month, and promising a full post-mortem analysis at a later date.

Blockchain analysis firm Chainalysis confirmed that the wallet address listed by the U.S. Treasury Department is the same as the one used in the Ronin hack. Chainalysis tweeted that the address is "linked to the Ronin hack, and OFAC's update confirms that a North Korean cybercrime group was behind the March hack of Ronin Bridge."

Bitpush previously reported that on March 23, 2022, Ronin — a sidechain connected to the Ethereum blockchain that allows developers behind games Axie Infinity and Sky Mavis to support faster, lower-cost transactions — was hacked, and 173,600 ETH and $25.5 million in stablecoins were looted, worth $625 million at the time, making the case one of the largest hacking incidents in crypto history.

In the weeks since, Sky Mavis announced a $150 million funding round led by Binance to help compensate users affected by the attack. Sky Mavis will also compensate users through the company’s balance sheet, with the goal of recovering the stolen funds within the next two years.

The FBI has labeled Lazarus a "state-sponsored hacking group" with its earliest attacks dating back to 2009. Lazarus is allegedly linked to the 2017 WannaCry ransomware attack, the 2014 Sony Pictures invasion, and a series of hacks on pharmaceutical companies in 2020.

“It’s somewhat unsurprising that this attack has been attributed to North Korea, as many of the characteristics of this attack mirror methods used by the Lazarus Group in previous high-profile attacks, including the location of the victims, the attack method (involving social engineering), and the money laundering patterns used by the group following the incident,” Elliptic wrote in a blog post.

Elliptic reports that 18% of the stolen funds so far have been laundered by being sent to various crypto exchanges and Tornado Cash, a smart contract-driven service that mixes transactions to make them difficult to trace. The wallet still holds 147,753 ETH, worth approximately $444 million at press time.