Treasury updates Lazarus Group sanctions with digital currency address linked to Ronin Bridge hack

The address received $600 million in Ethereum and other digital currency during the March attack, crypto-tracking company Chainalysis said.
North Korea
Students of the Pyongyang Jang Chol Gu University of Commerce watch footage on March 25, 2022, of the previous day's launch of the Hwasong-17 missile — North Korea's first ICBM test since 2017. (Photo by KIM WON JIN/AFP via Getty Images)

The U.S. Treasury Department expanded its sanctions against the North Korean state-backed hackers known as Lazarus Group on Thursday with information that links the group to a recent high-profile cryptocurrency theft.

The department’s Office of Foreign Assets Control (OFAC) said the sanctions were part of the Biden administration’s “persistent engagement vision” for confronting North Korea’s financially motivated hacking. OFAC’s designations included a digital currency address that cryptocurrency-tracking company Chainalysis linked to the the March hack of Ronin Bridge, which connects the Axie Infinity video game with the Ethereum blockchain.

During the attack, the address cited by Treasury received 173,600 in Ethereum coins and 25.5 million in USDC, a digital coin linked to the U.S. dollar — or about $600 million worth of digital assets total, Chainlaysis said in a Twitter thread.

Treasury’s announcement does not name any individuals, but Lazarus Group and related teams of hackers have been linked to the Reconnaissance General Bureau (RGB), the primary intelligence agency for the regime known as the Democratic People’s Republic of North Korea (DPRK). The U.S. government has blamed the group for the hack of Sony Pictures in 2014 and the launch of the WannaCry 2.0 ransomware in 2017.


Lazarus Group’s main goal, according to cybersecurity researchers and government officials, is to support the country’s illicit weapon and missile programs. International sanctions intended to punish Pyongyang’s development of nuclear weapons have left the communist country isolated from the world economy.

Cybersecurity researchers and financial security experts have been warning in recent years that Lazarus Group was making inroads into the cryptocurrency industry. Some projects were designed for theft, others were intended to gather more information about the people running the industry.

The attack on Ronin Bridge disrupted a popular decentralized finance (DeFi) system that allowed Axie Infinity players to acquire and trade digital assets within the game.

“The attribution of the Ronin hack to Lazarus Group underlines two industry needs Chainalysis has highlighted previously: Understanding of how DPRK-affiliated threat actors exploit crypto, and better security for DeFi protocols,” Chainalysis said.

Treasury said U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency “have in recent months worked in tandem to disclose malware samples to the private cybersecurity industry, several of which were later attributed to North Korean cyber actors, as part of an ongoing effort to protect the U.S. financial system and other critical infrastructure as well as to have the greatest impact on improving global security.”


Treasury first sanctioned Lazarus Group in 2019. The department’s actions refer to two Lazarus subgroups known to cybersecurity researchers as Bluenoroff and Andariel.

Latest Podcasts