Summary
- The article said $71 million tied to the KelpDAO hack has become the subject of a US court fight, with DeFi users and families of victims in North Korea-related cases each claiming rights to the funds.
- Assets stolen in the hack were linked to OFAC’s Lazarus wallet list, and on that basis victims in North Korea-related cases obtained an attachment over the frozen funds to enforce their damages judgments.
- Aave’s side pushed back, calling the US government’s position identifying Lazarus as North Korea “speculation in internet postings,” and said the core issues are whether Lazarus and North Korea are legally the same and who holds ownership of the assets.
Forecast Trend Report by Period
On May 6, two sets of claimants tied to North Korea-related losses faced off in federal court in Manhattan. Both are seeking rights to the same $71 million.
One side consists of families of victims in cases that the US government attributed to North Korea and for which US courts awarded damages, though Pyongyang has never complied. The other is DeFi users who lost money in the April 18 hack of crypto protocol KelpDAO.
At the center of the dispute is a short but consequential question: Is Lazarus North Korea?
Can the US Prove Lazarus Is North Korea?
The Lazarus Group has become an almost mythical name in crypto. It has been linked to many of the industry’s biggest thefts, including the 2014 hack of Sony Pictures, the 2016 theft of $81 million from Bangladesh Bank, the 2017 WannaCry ransomware attack that crippled computers around the world, and last year’s Bybit hack, the largest crypto theft on record.
The Office of Foreign Assets Control, the Treasury Department unit that administers economic sanctions, has placed Lazarus on its North Korea-related sanctions list and lists its address as Botonggang District, Pyongyang. OFAC has also published Ethereum wallet addresses it tracks under the Lazarus name.
The Justice Department in September 2018 indicted North Korean programmer Park Jin Hyok as a member of Lazarus. The 179-page FBI indictment said Park was a government-employed programmer tied to a hacking organization under North Korea’s Reconnaissance General Bureau. It also said the Sony, Bangladesh Bank and WannaCry attacks were all carried out by the same group.
Still, there are evident gaps. Park has never been extradited to the US and has never appeared in an American courtroom.
In a criminal case, facts are established only after prosecutors and defendants test evidence in court. That process never took place in Park’s case. After seven years, the US government’s most detailed document tying Lazarus to North Korea remains a one-sided account.
OFAC has also said Lazarus uses aliases including “OFFICE 91,” “HIDDEN COBRA” and “GUARDIANS OF PEACE.” But it rated the reliability of those names as “weak.” In effect, OFAC itself acknowledged limits in determining whether those aliases truly refer to the same organization.
‘$8 Billion Lost’: DeFi’s Lehman Moment
The US government’s claim that Lazarus is North Korea is now before a US court because of a major crypto theft at DeFi protocol KelpDAO in April.
The attacker found a weakness in the process for moving assets across blockchains and used it to mint 116,500 rsETH tokens out of thin air.
rsETH is normally issued when users stake Ether and then use that position to lend assets elsewhere. In simple terms, it is like taking a certificate issued for a bank deposit and posting it as collateral at another bank to earn additional yield. The attacker effectively forged that receipt without depositing anything.
The attacker then posted the fake receipts as collateral on Aave, the largest DeFi lending protocol, and borrowed about $190 million of real Ether. In effect, Aave accepted fake collateral and handed over real assets.
The damage quickly spread. As word of the exploit spread, users who had deposited funds on Aave rushed to withdraw them. Nearly $6 billion was pulled out within days.
DeFi lending protocols are structured so that one user’s deposits are lent to another. If borrowed funds are not returned, depositors may be unable to withdraw even if they had nothing to do with the exploit. That left ordinary users unrelated to the incident unable to access their money.
The attack triggered the biggest outflow in DeFi history in its immediate aftermath, and Aave’s AAVE token fell nearly 20%.
One observer called it “DeFi’s Lehman moment,” capturing a sense that the sector was facing an existential crisis.
The industry response split in two. On one side, Aave founder Stani Kulechov led an effort with other DeFi firms to create a fund worth about $320 million.
On the other, part of the stolen funds was traced and $71 million of Ether was frozen. That money was supposed to be used to compensate rsETH holders who had lost assets.
‘North Korea Took It? Then It’s Ours’
Then the case became more complicated. Soon after the theft, private on-chain analytics firms pointed to Lazarus as the culprit because wallet addresses that received the stolen Ether were linked to addresses on OFAC’s Lazarus list. Aave also referred to the attackers in its incident report as “North Korea-linked hackers.”
On the evening of May 1, just before the frozen $71 million was to be returned to victims, a US law firm obtained a prejudgment attachment over the assets. The firm represents victims in North Korea-related cases, and US courts have awarded them more than $877 million in unpaid judgments that North Korea has never satisfied.
One prominent example is the case of Pastor Kim Dong-sik, who was reported to have been abducted by North Korean agents in China in 2000 while helping North Koreans defect. His brother and son, both US citizens, won a judgment in federal court in Washington in 2015 against North Korea for $30 million in compensatory damages and $300 million in punitive damages, for a total of $330 million.
They have spent the past 11 years searching for North Korean assets that could be used to enforce that judgment. Their argument is that if Lazarus stole the Kelp funds, and Lazarus is North Korea, then the frozen assets are North Korean property and should be used to satisfy their award.
Aave’s side challenged that logic directly. Its core argument was that a thief cannot be treated as the owner of stolen property. More strikingly, it dismissed the US government’s long-held position identifying Lazarus as North Korea as a claim that “the thief is North Korea based on speculation in internet postings.”
The court must now decide whether the thief was North Korea and, if so, whether North Korea can claim ownership of the assets.
For six years, the name Lazarus has been treated as so self-evident that it scarcely seemed to require proof. In South Korea, too, virtual-asset thefts are routinely announced each year as North Korean operations.
The US court’s ruling could become a reference point when the same question arises in South Korean courtrooms. What had been treated as a given is now being tested in court for the first time.
Kim Oi-hyun, adjunct professor at Woosuk University
Hankyung Business contributor
Korea Economic Daily
hankyung@bloomingbit.ioThe Korea Economic Daily Global is a digital media where latest news on Korean companies, industries, and financial markets.
