North Korea Diversifies Into Ethereum Via Record Crypto Hack

This week, the FBI released a statement assigning blame for the recent Ronin bridge hack – the largest known instance of cryptocurrency hacking – to the infamous North Korean associated hacking organization: ‘Lazarus Group.’ Lazarus Group is known for involvement in the WannaCry ransomware attacks and the Sony Pictures hack surrounding the movie “The Interview.”

The hack targeted Sky Mavis’ side chain, Ronin. Sky Mavis is the company behind the largest NFT-based crypto game, Axie Infinity. Ronin was made to support scaling of the Axie Infinity ecosystem, which had experienced scalability issues on Ethereum. The hack took place in March 2022 and resulted in over $620M of Ethereum and stablecoins being stolen. It took about a week after the funds were stolen before anyone noticed.

How Did the Hack Happen?

The security flaw that Lazarus took advantage of was simple: poor key management. The Ronin sidechain consists of 9 validators, requiring a consensus of 5 out of the 9 nodes to execute.

The hackers breached Sky Mavis’ centralized servers, which manage 4 of the 9 nodes. This alone is not enough to steal the funds, but according to Sky Mavis, the attack was possible because Sky Mavis and the Axie DAO used poor security practices to manage high player volume late last year: "Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC."

When the North Korean hackers breached Sky Mavis’s server, which normally housed 4 of the 9 keys, they found 5 multisig keys – enough to steal the funds.

A security audit likely would have identified an inherent problem in the majority of the multisig keys being stored on a single server. Best practice is for each multisig key to be secured by a separate entity. Maintaining a full consensus on a single server isn’t just bad practice, it was a $620M mistake.

Sky Mavis is expanding to 21 validator nodes and presumably changing their key management practices, though best practice would include neglecting to tell the public what changes they make.

The company also recently raised a $150M round led by Binance, including Animoca Brands, a16z, Dialectic, Paradigm, and Accel to make users whole, and reopen the bridge. The remainder of the money will be coming from the Axie balance sheet.

North Korea’s Portfolio

Per a report from the South Korean news outlet Chosun last year, North Korean hacker syndicates are suspected of stealing $1.7B over the last five years. According to Koh Myung-hyunat at the Asan Institute for Policy Studies, "North Korea is using the stolen cryptocurrency from the perspective of long-term investment" and North Korea views crypto as "the only financial asset that can be gained while it is under tight economic sanctions."

Much of the hacked cryptocurrency came in the form of Bitcoin from crypto exchanges. Now North Korea has added some 175k Ethereum to its coffer.

The US State Department pledged up to $5M for information relating to the North Korean hacking operations.