North Korean Lazarus Group compromised 5 of 9 Ronin validator private keys, enabling unauthorized withdrawals from the bridge.
Attackers compromised 4 Sky Mavis validator keys and 1 Axie DAO validator key through a spear-phishing attack on a Sky Mavis employee. With 5/9 signatures, they drained the Ronin bridge in two transactions. The hack went undetected for 6 days until a user reported inability to withdraw funds.
ETH sent to Tornado Cash mixer in batches. Some funds routed through Blender.io (later sanctioned). A portion converted to BTC via RenBridge. US Treasury sanctioned associated Ethereum addresses. Approximately $30M recovered by US DOJ in 2022.
0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7