Despite how enormous it was, the Axie Infinity heist marked only the latest chapter in the story of North Korean financial cybercrime.
Sky Mavis, the developer of popular nonfungible token (NFT) video game Axie Infinity, lost hundreds of millions of dollars in assets when they were stolen by hackers on March 23. The attack occurred via a breach of the Ronin bridge that exists as part of the Ronin Network sidechain (also developed by Sky Mavis).
The breach occurred when attackers gained control of a series of validator nodes attached to Axie Infinity to conduct fake withdrawals. Hackers stole 173,600 Ethereum and 25.5 million USD Coin, worth approximately $620 million at the time (and about $375 million as of this writing).
Three weeks after the initial attack and two weeks after it was disclosed, the FBI formally attributed the attack to the Lazarus Group and APT38, nation-state threat groups tied to the North Korean government.
The Axie Infinity heist is not the first cryptocurrency heist for the Democratic People’s Republic of Korea (DPRK). Blockchain analytics firm Chainalysis reported that last year that the country stole nearly $400 million in at least seven attacks against cryptocurrency platforms. The North Korean government also has a lengthy history with financially motivated cybercrime.
But the Axie Infinity hack represents an enormous theft on behalf of Kim Jong Un’s regime, and acts as the latest in a long line of big-game heists against cryptocurrency platforms.
The reason for these attacks, based on conversations with experts on both cryptocurrency and North Korea, appears to be a combination of opportunity and a highly adaptive offensive cyberoperation.
An unconventional nation-state threat
North Korea is a small, insular nation with an estimated population of 25 million people. Despite its size, the country’s enormous military and cybersecurity investments have made it one of the United States’ “big four” nation-state adversaries along with Russia, Iran and China.
CrowdStrike senior vice president of intelligence Adam Meyers told SearchSecurity last year that overwhelmingly, the goal of nation-state activity is to collect information. But while Iranian state hackers have conducted ransomware attacks and cryptocurrency mining and Russia is understood to utilize private ransomware gangs in some capacity, North Korea is the only major adversary that incorporates financial cybercrime into its offensive activities as a primary goal.
The aforementioned APT38 is a financially motivated actor that has been tracked by researchers since at least 2014. The group was responsible for the SWIFT banking transaction system attacks in 2018 that resulted in $100 million stolen and many other attacks. The Lazarus Group, meanwhile, was behind the WannaCry attacks in mid-2017. Both exist as part of the DPRK’s Reconnaissance General Bureau — responsible for the state’s covert military and intelligence operations.
Not all of its activity is financially motivated — the Lazarus Group was responsible for the infamous 2014 Sony Pictures hack — but government funding via cybercrime is generally unique to the DPRK.
Ari Redbord, head of legal and government affairs at blockchain fraud intelligence vendor TRM Labs, referred to North Korea as an “extraordinary case.”
“This is a tiny, tiny country with absolutely no economy, and is not a player on the global stage at all from an economic standpoint,” he said. “But what they uniquely realized was that they could, by building a cybercriminal organization, fight on a digital battlefield with some of the world’s superpowers. I think that is potentially very destabilizing for the geopolitical realm, and very, very dangerous.”
Experts SearchSecurity spoke with generally described North Korea as having a sophisticated offensive cyberoperation.
Aaron Arnold, a senior associate fellow at U.K. security and defense think tank Royal United Services Institute, said the country utilizes zero-day exploits to compromise large-scale targets like major banks and the aforementioned Sony Pictures, as well as a sophisticated intelligence-gathering operations that are typically directed at South Korea.
“It’s often the case that you see North Korea portrayed as unsophisticated backwater, and I think that paints the wrong picture,” he said. “I think the bottom line is that North Korea is a very sophisticated cyber actor that is very competent in the tools and the capabilities they have.”
Arnold, who previously served as the finance and economics expert on the United Nations Panel of Experts for DPRK sanctions, said revenue gained from North Korea’s cyber activities “does go directly to support the country’s ballistic missile and nuclear weapons programs.” This view is echoed by the UN panel’s March 2021 report.
But for as sophisticated as an offensive cybersecurity operation North Korea may have, Arnold said much of North Korea’s success with hacking exchanges stems from spear phishing campaigns. In other words, getting someone to click on a malicious link has earned the country enormous sums of money.
“The overwhelming majority of these attacks are not sophisticated,” he said. “They rely on abusing people’s trust. North Korea is doing this because it’s something that they’ve had great success in. They’re going to keep doing what they know works, and unfortunately they’ve been successful in gaining access to exchanges and duping end users into handing over the keys to their wallets.”
Recorded Future threat intelligence analyst Mitch Haszard had similar thoughts, though he added that it does not apply to every aspect of North Korea’s cyberoperations. He also referenced two examples of phishing schemes: fake job advertisements being sent to employees of cryptocurrency exchanges and malicious cryptocurrency wallet applications for end users to download.
“In terms of kind of big players out there, [North Korea is] not the top, but where they make up for that is in their relentlessness. They will try and try and try again, until they achieve some level of success,” he said. “A lot of these attacks are spear phishing. I would say that from what we’ve seen, a lot of these financial crimes tend to be low skill and focus more on the social engineering aspect.”
SearchSecurity attempted to contact the Democratic People’s Republic of Korea for comment but did not receive a response.
Cryptocurrency platform attacks
The platforms at the center of recent major cryptocurrency heists take many forms; in addition to games like Axie Infinity, investment services and cryptocurrency exchanges are common targets for thieves. Independently of North Korea, major cryptocurrency platform hacks have been a common trend in the past two years.
One exchange, BitMart, reported a cryptocurrency theft in December totaling approximately $150 million in assets, accomplished primarily thanks to a stolen private key. And in February, blockchain bridge Wormhole suffered a loss of 120,000 wrapped Ethereum (at the time worth around $300 million) at the hands of threat actors.
Specific to North Korea, Lazarus Group was credited with an attack against exchange KuCoin that cost roughly $275 million in 2020; Chainalysis said this one attack represented over half of the cryptocurrency stolen that year. Liquid, a Japanese exchange, also suffered an attack at the hands of North Korean-linked hackers resulting in a loss of approximately $97 million worth of cryptocurrency.
Arnold dated North Korea’s cryptocurrency-focused cyber attacks back to 2017 based on current knowledge. After that point, he said, “success begets success.”
Erin Plante, senior director of investigations at blockchain analytics firm Chainalysis, referred to the Axie Infinity attack as the largest cryptocurrency hack ever. Additionally, she said Chainalysis, which investigated the heist for Sky Mavis, has noticed a recent uptick in the scale of cryptocurrency attacks conducted by North Korea.
“We’ve been investigating DPRK-linked cryptocurrency hacks since 2017. And so while hacking is nothing new, we have seen an increase in the scale and sophistication of attacks recently,” she said. “From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%.”
Redbord said he was not surprised that the Axie Infinity hack was attributed to North Korean threat actors in part because the DPRK was an early adopter of cryptocurrency in the mid-2010s due to its money-laundering capabilities. Since then, he said, the country learned that the potential for financial fraud ballooned with the rise of cryptocurrency platforms.
“I think what they learned is that you can hack or attack cryptocurrency businesses to directly steal funds at the speed of the internet,” he said. “That’s important because in the age of the internet, a hack used to mean the loss of usernames and passwords. But in the age of crypto, a hack could essentially mean stealing hundreds of millions of dollars to fund destabilizing activity such as weapons proliferation. And I think that is why North Korea has gravitated to the space.”
Big-game heists aren’t new for North Korea. In the case of the SWIFT attacks, for example, the nation was aiming to steal over $1 billion before its grander ambitions were thwarted. Moreover, the successful theft of $600 million in cryptocurrency does not mean North Korea will have full access to $600 million; the significant fees involved in laundering and converting stolen cryptocurrency to something usable by the government can mean a much lower payday than the flashy $600 million figure.
Due to how obfuscated a majority of North Korea’s operations are, it is difficult — if not impossible — to say whether recent crypto platform attacks are the result of increased sophistication or simply opportunities.
Jason Bartlett, research associate at the Center for a New American Security, a national security think tank, said the Axie Infinity hack shows a trend of North Korea continuing to be “incredibly innovative and how they target and what they target.”
“You don’t necessarily need the nicest new MacBook to conduct a destructive cyber attack or to launch a massive cyber heist campaign — you just need really good coders and strong software abilities,” he said. “Those are two things that North Korea has.”
Looking forward, Bartlett said North Korea is diversifying and widening the circle of their cybertargets.
“What really seems to be increasing is their diversity and what they’re targeting and how they’re targeting it,” he said. “I think that the main goal will always be to try to steal as much cryptocurrency as possible, and I think they’re honestly going to target wherever they think that money is.”
In a piece Bartlett wrote for The Diplomat in December, he said the future of North Korean cybercrime would feature an increased focus on money laundering via decentralized finance (DeFi) platforms, services like certain exchanges and Axie Infinity that are more anonymous and less regulated due to the lack of a single entity in charge of assets.
Bartlett argued North Korea would also focus further on ransomware attacks, phishing attacks and additional cryptocurrency laundering techniques.
Hot market, flawed security
Shortly after the Axie Infinity attack occurred in late March, Sky Mavis published a Substack post that outlined everything known about the hack up until that point. According to the developers, nine validator nodes were required at the time for the Sky Mavis Ronin sidechain to recognize a withdrawal.
The attacker was able to gain control of five nodes, thanks to hacked private keys and a backdoor used for a fifth node controlled by Axie Infinity’s decentralized autonomous organization (DAO). This was not supposed to be possible, the company said.
“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load,” the Substack post read. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”
On April 27, Sky Mavis published a post-mortem that explained how the attack happened, how the issues were addressed and previously unmentioned insights. For example, it included the detail that Sky Mavis “didn’t have a proper tracking system for monitoring large outflows from the bridge, which is why the breach wasn’t discovered immediately.”
The vulnerability that enabled the attack was addressed with additional validator nodes, and Sky Mavis added a security roadmap to the post that includes audits, even more validator nodes, a zero-trust security model and more.
The security issues seen in Axie Infinity’s hack are far from uncommon in the world of cryptocurrency.
Some platform attacks occur at least in part due to reasons like stolen private keys and vulnerabilities being exploited. Many cryptocurrency holders also lose hundreds of thousands of dollars, or more, in assets thanks to basic social engineering attacks like phishing.
A number of cryptocurrency-focused companies like Axie Infinity were founded in the last five years and quickly scaled dramatically to the point where they handle millions — and in some cases billions — of dollars’ worth of transactions.
Erin PlanteSenior director of investigations, Chainalysis
Chainalysis’ Plante said this dramatic scaling can have a negative impact on security outcomes and called special attention to DeFi platforms.
“[There is a] lack of security around emerging DeFi platforms,” she said. “In the first three months of this year, hackers have stolen $1.3 billion from exchanges, platforms and private entities — and the victims are disproportionately in DeFi.”
One recent example was the attack on Beanstalk Farms, which robbed the DeFi platform of all its liquidity. The attacker essentially weaponized the platform’s own governance mechanism to inject malicious code into the protocol, which enabled them to withdraw all available funds. The Beanstalk attack highlighted how some DeFi startups have entered the market with questionable security postures and a bevy of threat actors looking to pull off heists.
“Almost 97% of all cryptocurrency stolen in the first three months of 2022 has been taken from DeFi protocols, up from 72% in 2021 and just 30% in 2020,” Plante said. “For DeFi protocols in particular, however, the largest thefts are usually thanks to faulty code. Code exploits and flash loan attacks — a type of code exploit involving the manipulation of cryptocurrency prices — has accounted for much of the value stolen outside of the Ronin attack.”
Plante recommended that DeFi platforms consider code audits, decentralized oracle providers and a rigorous approach to platform security. And on a more basic level, educating users to look out for social engineering attempts like phishing campaigns can go a long way.
Sky Mavis has not responded to SearchSecurity’s request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.