The Ronin Heist

How the North Korean cartel behind the largest hack in DeFi history launder their crypto.

Dana J. Wright
10 min readMay 31, 2022


Image created by the author.

It’s been about two months since the largest hack in DeFi history, where cryptocurrency worth about $625 million was drained from the Ronin Network, which is the blockchain that powers the popular play-to-earn game, Axie Infinity.

Just a few months before that, $611 million was stolen from the Poly Network, in the second largest hack in crypto history.

In the Poly Network case, the attacker actually came forward and negotiated a bounty. So the majority of the funds ended up getting returned and “Mr. White Hat,” as the attacker was called, collected a payment of $500k free and clear from Poly.

While some doubted if Mr. White Hat was truly acting in good faith, it was generally hailed as a great success. The bug bounty mechanism proved to be an effective fallback in this worst case scenario.

So in the early hours of the Ronin hack, some speculated that something similar might happen. Sky Mavis, the company that runs the network even announced their intent to make the victims whole regardless of whether they were able to retrieve the hacked funds.

With the obvious implication that they believed they could.

Follow the money

Meanwhile, the attacker wasted no time moving the stolen USDC stablecoins onto three different centralized exchanges, quickly swapping them for Ethereum and moving the ETH back to their self-custodied wallets.

They did it so fast that the exchanges didn’t have enough time to freeze the accounts before the funds had already been withdrawn.

After they swapped everything to Ethereum, they began the process of slowly depositing the funds into a mixing service called TornadoCash.

One thing that makes crypto hacks different from any other financial crime is that you can literally watch the money move around on chain in real time.

As you can see here, on May 19th the last tranche of 3,582.1 ETH was deposited from one of the wallets connecting the perpetrator’s main wallet to TornadoCash.

And that’s where the trail ends.

I think it’s safe to say, none of those funds will ever be returned.

The web of crypto wallets Lazarus used to launder the funds. Source: Elliptic Forensics.

Not amateurs

On April 15th, it was reported that a well known network of cyber criminals linked to North Korea was behind the Ronin hack.

Named after the only biblical figure other than Jesus who comes back from the dead, the Lazarus Group is pretty infamous in the world of cyber crime.

Over the last decade, they have perpetrated of some of the most high profile attacks on record and earned the designation of “advanced persistent threat” from US intelligence agencies.

They made a huge splash in 2016 when they hacked Sony Pictures.

Through a combination of destroying files, leaking employee data and threatening to bomb movie theaters, they forced Sony to cancel the release of its upcoming film The Interview, a comedy about assassinating Kim Jong-un.

They began targeting crypto entities in 2017, successfully draining hundreds of millions of dollars from several centralized exchanges in Asia.

According a report by Chainalysis, they brought in over $400 million from crypto hacks in 2021.

Legacy money laundering

Pulling the pieces together in hindsight, the Ronin exploit contained several hallmarks of a Lazarus attack, including the location of the target (Sky Mavis is in Vietnam), the attack method (involving both technical and social engineering) and a well planned out money laundering scheme to evade attribution.

One previous attack that contained some really interesting parallels was when Lazarus hacked the central bank of Bangladesh in 2016 and almost got away with a billion dollars.

It’s an absolutely insane story.

Almost like a group of hackers watched a Hollywood heist movie and thought to themselves, we could do that.

It involves a broken printer, a misspelling on a wire transfer, and a stroke of dumb luck that happened to block $851 million dollars from clearing through the New York Fed.

While they were unable to drain Bangladesh’s entire FX reserve account, Lazarus did manage to get $81 million transferred to their RCBC Bank account in the Philippines.

From there, they immediately divided about $30 million into a few dozen different accounts, withdrew the cash, swapped it for local currency through a foreign exchange service, and then redeposited it into other bank accounts.

Sound kinda similar?

Wait for it.

That was phase one of the process, which money laundering experts call “layering.”

To make the funds completely untraceable, they had to get them out of the banking system all together.

For the remaining $50 million, they deposited it into gambling accounts at the Solaire and the Midas, two of the premier casinos in Southeast Asia.

At the casino, they withdrew chips, played a fairly low risk game called Baccarat (mixing chips with the rest of the chips in circulation), then cashed out the chips for squeaky clean cash.

I guess you could call this process legacy money laundering.

Essentially, they used the casino as a mixer.

And that’s where the trail ends.

Solaire Resort in Manila, Philippines. Source: Getty.

Privacy, casinos and mixers

Now you might be wondering, couldn’t authorities have followed the transactions from RCBC Bank to the casinos and then found the IDs or at least security images of the people withdrawing chips from that account?

Answer: not easily.


At the time, these casinos were not covered by any anti-money laundering laws and had no interest in cooperating with authorities.

Gambling, while perfectly legal in many places is not necessarily an activity people want to be associated with or publicly known for. Casinos therefor have a legitimate commercial interest in protecting the privacy of their customers and they continue to resist government pressure to record customer data.

Eventually the casinos would cooperate with investigators, but their reluctance bought the hackers plenty of time to slowly launder the funds over the course of several weeks.


Similarly, crypto privacy networks provide an important mechanism to protect the safety of crypto holders.

Everything on the blockchain is public by default. Having one’s real world identity linked to their crypto holdings could make them targets for all kinds of attacks, including ransom, kidnaping and identity theft.

You see the parallels.

Privacy is a feature, not a bug.

But unlike casinos, mixers are decentralized and autonomous. They are essentially DeFi protocols. It will not be easy to regulate them or force them to cooperate with investigations.

In the wake of the Ronin hack, one of the founders of TornadoCash told CoinDesk that there isn’t much he or anyone else could do to help investigators because they don’t have much control over the protocol.

“The Tornado Cash team mostly does research and publishes the code to GitHub. All the deployments, protocol changes and important decisions are made by the community via Tornado Governance DAO and deployment ceremonies,” he said.

Nor is there a centralized server that can be shut down. It’s source files are hosted on IPFS and it’s domain is on Ethereum Name Service.

These services make up the backbone of the decentralized web, they are censorship resistant, and there is no one at the helm.

Anyone can use decentralized apps, even the bad guys.

Training a cyber warrior

North Korea at night (Source: NASA/Reuters).

North Korea is one of the poorest countries in the world and its people are largely disconnected from the global community.

One of the most famous images of the country is taken from space. It shows a pitch black void sandwiched between a brightly lit South Korea on the right and China on the left.

We in the West might not think this could possibly be the home of a global hacking cartel, responsible for stealing billions of dollars through sophisticated bank heists and cutting edge cryptocurrency thefts.

But we would be wrong.

The truth is, we have no idea what goes on there.

From a BBC interview with North Korean ex-pat, Jong Yol-ri, we learn that becoming a “cyber warrior” is a prestigious and well established career path in North Korea.

Yol-ri knows because he went through the process and was well on his way to becoming one before he defected to South Korea in 2016.

Yol-ri was one of the few children at his school who showed promise by excelling in mathematics. He was identified early and taken through an advanced education pipeline leading to various careers working for the regime, such as nuclear engineer and cyber warrior.

This pipeline is one of very few paths for a lower class North Korean to escape a default life of abject poverty and isolation.

Yol-ri recalls studying math practically every waking hour between the ages of 7 and 12, and preparing for international math competitions like the International Mathematics Olympiad (IMO).

He remembers being allowed to borrow a laptop computer from school to help with his studies. Of course, there were only a few programs installed on it and no internet access.

Also, due to electricity rationing he struggled to keep the laptop battery charged.

“In North Korea, you only have uninterrupted electricity during a very brief window of time every day, so I installed a solar panel to generate electricity. But in the winter, there isn’t much sunlight so I’d then charge my laptop using gasoline,” he said.

When he was 17 years old, Yol-re was selected to attended an IMO competition in South Korea.

By this time, he had gleaned an understanding of what his future would entail if he were to continue that trajectory, so he took advantage of this rare trip to the neighboring South and defected.

Yol-ri joined a very small group of conscious North Korean defectors, leaving his friends and family behind.

He will likely never see or speak to them again.

The Grand People’s Study House in Pyongyang, North Korea. Source: Getty.

Asymmetric advantage

So basically, we have a small group of highly skilled operatives that come from a world of extreme poverty and desperation.

They are hyper loyal to their country and leader, and able to exercise a novel kind of power vastly disproportionate to their size.

In this way, North Korea’s cyber force serves a similar purpose to its nuclear weapons program.

In fact, the United Nations official that oversees the enforcement of sanctions against North Korea said last month that the DPRK is using funds acquired from cyber crime to fund its nuclear weapons program.

$400 million in one year for nukes.

The implications of this are massive for the power dynamics in our increasingly connected world.

When Lazarus hacked Sony Pictures back in 2014, North Korea was already under the heaviest economic sanctions of any country in history.

But when considering how to respond, President Obama stopped short of issuing an executive order authorizing a cyber attack against them. Instead opting to expand the Treasury Department’s authority to add individual perpetrators to the US Sanctions List.

A move experts quickly pointed out would be completely unenforceable.

Some have attributed this half measure to a fear of retaliation from the North.

If true, it represents a remarkable shift.

When the US considered invading Iraq in 2003, there was no fear of retaliation. It was not a factor. Not even part of the conversation. Nor was there any fear of retaliation from Pakistan in 2011 when President Obama decided to violate their sovereignty and raid Osama Bin Laden’s compound.

But this is not conventional war.

The cyber theatre is completely different.

Lazarus demonstrated its capability to reach into the email inboxes of rich and famous people in America and orchestrate a campaign to wreck their lives by dragging their reputations through the mud.

They demonstrated that they can hack into a central bank, commandeer the SWIFT keys that authorize international transfers, and then silently wait years for the perfect time to strike in order to maximize the payoff.

This is a new kind of threat and it’s giving pause to the leaders of even the most rich and powerful nations.

The ascending world

Since World War II, the US has enjoyed certain strategic advantages like being geographically separated, having the biggest conventional military, and having control over the narrative of world events through American mass media.

But none of these advantages are of any use against the apex threats of our time. Namely, biological contagion and cyber attacks.

In this world, it’s no longer about who has the most men and the biggest guns, but who has the smartest engineers and the best software.

In several recent interviews, renowned investor and ideas guy, Balaji Srinivasan made the case that the West has become complacent and is now on its heels technologically.

“So you have a situation where the country that built the first nuclear reactor and put a man on the moon could not even stand up a website for health insurance,” he said. Referring of course to the disastrous healthcare dot gov rollout.

Then came the Corona virus, which really laid bare just how much US state capacity has atrophied over the last several decades when compared to the rest of the world.

“For 50 years, we’ve been calling countries in Asia and the global south the ‘developing world,’ and referring to ourselves as the ‘developed world,’” said Srinivasan.

But that’s no longer an accurate description of what’s happening. It’s actually the “ascending world” and the “descending world.”

I’m afraid there may be some truth to this.

The US Navy recently announced that its newest warship is powered by linux.

To me, this sounds like Kodak announcing a firmware update in response to Instagram.

Like, they clearly recognize the threat.

But the ascending world has all the momentum.


Thanks for reading until the end. I work in crypto and think about it non-stop. You can find me on Twitter @danajwright_



Dana J. Wright

Designer · dreamer · dilettante · djw.eth