On March 23, 2022, the Lazarus Group (North Korea, DPRK Bureau 121) stole 173,600 ETH and 25.5 million USDC ($625 million at the time) from the Ronin Network — the Ethereum sidechain powering Axie Infinity, the largest play-to-earn blockchain game. The attack began with a spear-phishing campaign targeting Sky Mavis employees via fake LinkedIn job recruitment offers. A senior engineer downloaded a malicious PDF disguised as a lucrative job offer, which installed macOS backdoor malware. Lazarus used this foothold to compromise private keys for 4 of the 9 Ronin validator nodes controlled by Sky Mavis, plus one controlled by Axie DAO (which had previously been granted signing permissions and never had them revoked). With 5 of 9 validators compromised, Lazarus signed fraudulent withdrawal transactions. The theft went undetected for 6 days — discovered only when a user tried to withdraw 5,000 ETH and the bridge had insufficient funds. The US Treasury’s OFAC sanctioned the Ethereum address used by Lazarus and attributed the attack. Sky Mavis raised $150 million to reimburse affected players. The attack demonstrated North Korea’s sophisticated approach to targeting DeFi infrastructure via social engineering of individual developers, and highlighted the catastrophic vulnerability of proof-of-authority bridge systems with small validator sets.