Law enforcement, with the help of Chainalysis, an analytical blockchain company, arrested more than $30 million in cryptocurrencies stolen during the Ronin sidechain attack in March.

The attack by North Korean hackers from the Lazarus Group, the network featured in the Axie Infinity game, has become one of the largest in the industry. The attackers gained access to five of the nine authenticator keys. They used the majority to confirm two withdrawals: 173,600 ETH and 25.5 million USDC. The value of the stolen assets was $625 million at the time.

Chainalysis stated that after the attack, hackers began a money laundering process involving more than 12,000 different crypto addresses.

Researchers have identified a typical cryptoasset legalization scheme used by a North Korean group. According to them, it consisted of five stages:

• stolen ether was sent to intermediate wallets;
• coins were passed in batches through the Tornado Cash mixing service;
• the asset was exchanged for bitcoin;
• digital gold sent to cryptocurrency mixer;
• In the final stage, bitcoin was deposited on trading platforms for monetization.

According to Chainalysis, the hackers repeated this process with most of the stolen funds.

Earlier in August, the US Treasury sanctioned Tornado Cash over $455 million for laundering cryptocurrencies, including those linked to the Lazarus Group. From then on, the group began using DeFi services instead of the Ethereum mixer. Transitions between blockchains and various cryptocurrencies in a single transaction.

As an example, the researchers cited one of these transactions with stolen funds. Meanwhile, the hackers sent ETH from the Ethereum blockchain to the BNB Chain over the bridge, exchanged it for USDD and transferred the stablecoins to the BitTorrent network.

The researchers noted that the inherent transparency of cryptocurrencies greatly contributes to tracking stolen assets. The arrest of more than $30 million was the result of the Chainalysis team’s collaboration with law enforcement and coordination of actions with trading platforms from which funds were taken to be cashed out.

According to the company, this is the first case in which a cryptocurrency associated with the Lazarus Group has been seized.

Experts emphasized that most of the assets stolen from Ronin remained in wallets controlled by the attackers.

Recall that researcher ₿liteZero from SlowMist also concluded that sidechain hackers transferred a significant portion of cryptocurrency to bitcoin using transaction privacy tools.

Read ForkLog bitcoin news in our Telegram – cryptocurrency news, courses and analysis.