Despite how enormous it was, the Axie Infinity heist marked only the latest chapter in the story of North Korean financial cybercrime.

Sky Mavis, the developer of popular nonfungible token (NFT) video game Axie Infinity, lost hundreds of millions of dollars in assets when they were stolen by hackers on March 23. The attack occurred via a breach of the Ronin bridge that exists as part of the Ronin Network sidechain (also developed by Sky Mavis).

The breach occurred when attackers gained control of a series of validator nodes attached to Axie Infinity to conduct fake withdrawals. Hackers stole 173,600 Ethereum and 25.5 million USD Coin, worth approximately $620 million at the time (and about $375 million as of this writing).

Three weeks after the initial attack and two weeks after it was disclosed, the FBI formally attributed the attack to the Lazarus Group and APT38, nation-state threat groups tied to the North Korean government.

The Axie Infinity heist is not the first cryptocurrency heist for the Democratic People’s Republic of Korea (DPRK). Blockchain analytics firm Chainalysis reported that last year that the country stole nearly $400 million in at least seven attacks against cryptocurrency platforms. The North Korean government also has a lengthy history with financially motivated cybercrime.

But the Axie Infinity hack represents an enormous theft on behalf of Kim Jong Un’s regime, and acts as the latest in a long line of big-game heists against cryptocurrency platforms.

The reason for these attacks, based on conversations with experts on both cryptocurrency and North Korea, appears to be a combination of opportunity and a highly adaptive offensive cyberoperation.

Axie Infinity artwork showcasing its virtual pet characters.

An unconventional nation-state threat

North Korea is a small, insular nation with an estimated population of 25 million people. Despite its size, the country’s enormous military and cybersecurity investments have made it one of the United States’ “big four” nation-state adversaries along with Russia, Iran and China.

CrowdStrike senior vice president of intelligence Adam Meyers told SearchSecurity last year that overwhelmingly, the goal of nation-state activity is to collect information. But while Iranian state hackers have conducted ransomware attacks and cryptocurrency mining and Russia is understood to utilize private ransomware gangs in some capacity, North Korea is the only major adversary that incorporates financial cybercrime into its offensive activities as a primary goal.

The aforementioned APT38 is a financially motivated actor that has been tracked by researchers since at least 2014. The group was responsible for the SWIFT banking transaction system attacks in 2018 that resulted in $100 million stolen and many other attacks. The Lazarus Group, meanwhile, was behind the WannaCry attacks in mid-2017. Both exist as part of the DPRK’s Reconnaissance General Bureau — responsible for the state’s covert military and intelligence operations.

Not all of its activity is financially motivated — the Lazarus Group was responsible for the infamous 2014 Sony Pictures hack — but government funding via cybercrime is generally unique to the DPRK.

Ari Redbord, head of legal and government affairs at blockchain fraud intelligence vendor TRM Labs, referred to North Korea as an “extraordinary case.”

“This is a tiny, tiny country with absolutely no economy, and is not a player on the global stage at all from an economic standpoint,” he said. “But what they uniquely realized was that they could, by building a cybercriminal …….

Source: https://www.techtarget.com/searchsecurity/news/252518378/Axie-Infinity-hack-highlights-DPRK-cryptocurrency-heists

Leave a comment

Your email address will not be published. Required fields are marked *