The connection was revealed today when the United States Department of the Treasury announced that it added a new Ethereum wallet address to its list of sanctions for the Lazarus Group. It’s the same wallet address that Axie Infinity creator Sky Mavis named as the Ronin attacker in late March.
CoinDesk first reported the news. A look at Ethereum wallet explorer Etherscan shows the label “Ronin Bridge Exploiter” for the wallet.
Sky Mavis has since acknowledged the connection in an update to its original post about the Ronin exploit. Blockchain analytics firms Chainalysis and Elliptic have similarly affirmed that the wallet address listed by the U.S. Treasury today is the same used in the Ronin exploit.
The FBI has labeled Lazarus as a “state-sponsored hacking organization,” and its earliest attacks date back to 2009. Lazarus is allegedly responsible for the 2017 WannaCry ransomware attack, 2014’s breach of Sony Pictures, and a series of attacks on pharmaceutical companies in 2020.
“It is somewhat unsurprising that this attack has been attributed to North Korea,” Elliptic wrote in a blog post. “Many features of the attack mirrored the method used by…