Norway Seizes Millions in North Korean Crypto

Written by

Norwegian authorities have tracked and intercepted 60 million kroner ($5.9m) in cryptocurrency stolen last year by North Korean actors, in the largest heist of its kind ever recorded.  

The Scandinavian country’s economic and environmental crime agency (Økokrim) claimed that the North Korean threat actors have been carrying out a massive money laundering operation ever since the March 2022 raid on Ronin Network.

“Økokrim is good at following money. This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods,” said Økokrim state attorney, Marianne Bender.

“We work with FBI specialists on tracking cryptocurrency. Such cooperation between countries means that we as a society stand stronger in the fight against digital, profit-motivated crime.”

Ronin Network was built by Vietnamese blockchain game developer Sky Mavis to function as an Ethereum sidechain for its Axie Infinity game.

However, Pyongyang-backed APT group Lazarus was able to breach the firm’s network after an employee opened a malicious phishing email attachment. The hackers took an estimated $618m in cryptocurrency and hard cash in the world's biggest ever cyber-heist.

Økokrim’s success comes a few months after investigators said they managed to seize $30m in funds stolen from Ronin.

Blockchain analysis firm Chainalysis, which was involved in the operation, also claimed that North Korean hackers are using crypto mixer Tornado Cash to help launder the funds stolen in the attack.

These efforts have an added urgency given that North Korea is likely to use any stolen cryptocurrency to fund a fast-growing missile program.

“This is money that can support North Korea and their nuclear weapons program. It has therefore been important to track the cryptocurrency and try to stop the money when they try to withdraw it in physical values,” said Bender.

The recently seized money will be returned to Sky Mavis so that it can reimburse some of its affected customers.

What’s hot on Infosecurity Magazine?