Update: It's a hack the BBC calls "likely one of the biggest ever to hit the crypto world," and US officials say it looks Lazarus was behind it. That's the hacker group thought to be controlled by North Korea's main intelligence agency and believed to have been behind both the 2014 Sony Pictures breach and one two years later at Bangladesh's national bank. "We were able to confirm Lazarus Group and APT38, cyber actors associated with [North Korea], are responsible for the theft," the FBI says of the $600 million-plus heist from the crypto service linked to online game Axie Infinity. Pyongyang is thought to use the stolen currency to circumvent international sanctions and fund its nukes program. Our original story from April 6 follows:
Victims of cryptocurrency scams say one of the most infuriating aspects is the fact that they can observe their stolen assets being moved around—and in the case of last month's massive theft from online game Axie Infinity, a lot of people are watching. In what the Wall Street Journal likens to a "perverse spectator sport," blockchain technology is allowing people to witness the hackers' attempts to launder around $600 million in stolen cryptocurrency. Most of the funds are still in an address on the Ethereum blockchain. The equivalent of around $30 million has been shifted elsewhere in recent days, but experts say that with recent law enforcement efforts to crack down on money laundering, it could be tough for the hackers to access most of their ill-gotten gains.
Some of the funds were shifted to cryptocurrency exchanges, and around $12 million was transferred to a "mixer," which obscures the source of cryptocurrencies, though analysts wondering what the hackers' next steps will be say it could take years to launder the funds that way—and using mixers could lead to the scammers being scammed. "When there’s a hack like that, everyone is watching the wallets," Kimberly Grauer, at Chainalysis Inc. tells the Journal. "So you better damn well know what you’re going to do." In some cases, companies have offered hackers a few million dollars for the return of stolen cryptocurrencies.
Axie Infinity developer Sky Mavis says the hackers exploited a vulnerability in the "bridge" that allows players to transfer funds in and out of the game. Players can earn funds in the game by fighting—or breeding—their Axie characters, though the company says the bridge will be shut for at least a few weeks, CNN reports. In the meantime, crypto exchange Binance is helping players make Ethereum deposits and withdrawals. The exchange has also contributed to a round of funding that raised $150 million to compensate Axie Infinity players who lost funds in the hack. (Read more cryptocurrency stories.)