The U.S. Treasury Department has tied the North Korean hacking group Lazarus to the theft of more than $600 million in cryptocurrency from a software bridge used for the popular Axie Infinity play-to-earn game.
The department added an Ethereum wallet address tied to the group to its sanction list on Thursday. More than $86 million of the stolen cryptocurrency from the Ronin bridge has moved from the wallet through a service called Tornado Cash that allows anonymous token transfers, data show.
The Treasury, according to a spokesperson, worked with the FBI to find the wallet, the use of which could expose other virtual currency users to the threat of U.S. sanctions.
The FBI said in a statement that an investigation had determined that the hacking outfits Lazarus Group and APT38, both associated with North Korea, were behind the theft. The bureau added that such crimes generate revenue for the North Korean regime.
The Treasury spokesperson, speaking on condition of anonymity, said secondary sanctions could be imposed on anyone who tries to support the regime of Kim Jong Un through money laundering, the counterfeiting of goods or currency, bulk cash smuggling, or narcotics trafficking. The penalties would also apply to people who attempt to help any senior official of that government.
The hack was likely the largest ever in the cryptocurrency world. The software bridge was built to reduce the traffic and cost on the Ethereum blockchain caused by the popularity of Axie Infinity, which was created by Vietnam-based developer Sky Mavis. The bridging technology has been under fire after more than $1 billion worth of cryptocurrencies were stolen in a little more than a year from crypto bridges.
North Korean cybercriminals launched several attacks on crypto platforms that extracted nearly $400 million of digital assets last year, according to a Chainalysis report. Many of the attacks were carried out by the Lazarus Group, the research firm noted.
Meanwhile, blockchain data shows that 28,000 Ether associated with Ronin bridge hack were transferred to Tornado Cash.
Data shows that these funds were moved from the main wallet used by hackers to different wallets. On those new wallets, batches of transactions of 100 Ether were made to Tornado Cash.
Ronin noted on its website that the FBI attributed Lazarus Group to the breach and Treasury has sanctioned the address. Sky Mavis representatives didn’t immediately respond to a request for comment.
The Treasury spokesperson said the department is looking to publish crypto cybersecurity guidelines to help guard against illicit activity.
—With assistance from Olga Kharif
More Must-Read Stories From TIME