Norwegian authorities announced on Thursday that they had recovered $5.9 million of cryptocurrency stolen in the Axie Infinity hack – an incident widely held to have been perpetrated by the Lazarus Group, which has links to North Korea.
The Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim) has called the seizure among the largest ever money seizures – and the largest-ever related to crypto – made by Norway.
After a long, international investigation by Økokrim, the National Authority for Investigation and Prosecution of Economic and Environmental Crime, prosecutors have retrieved 60 million kronor — about $5.9 million — from hackers who robbed Axie Infinity developer Sky Mavis’ Ronin Network cross-chain payments bridge.

It was also one of the largest-ever cash-value seizures by the Norwegian police.The U.S. Justice Department has said that North Korea’s state-sponsored Lazarus Group hackers were behind the attack, which made off with $625 million. It led to the sanctioning of the Blender.io and Tornado Cash mixing services.
“Økokrim are good at following money,” said First State Attorney Marianne Bender in a statement. “This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods.” Praising the crime-fighting agency’s cooperation with and assistance from the FBI, Bender said Økokrim would continue to track the stolen funds.

Authorities say that Sky Mavis, creator of the Axie Infinity game and the Ronin Bridge, will be notified of the seizure so that affected users “get the money back to the greatest extent possible.” The hack was valued at over $600 million at the time of the incident. Axie Infinity reopened its Ronin bridge in June 2022 after its founders, along with external investment from Binance, reimbursed users a total of 117,600 Ether (ETH) and 25.5 million USD Coin (USDC). The remaining 56,000 stolen ETH belonged to the Axie DAO Treasury and remains undercollateralized as Sky Mavis “works with law enforcement to recover the funds.”
The attacker didn’t hold the funds in those wallets very long, however. Just $376.73 was left by April 4 as the hacker tried to obfuscate the origin of the coins by routing through intermediaries such as the now-shuttered privacy protocol Tornado Cash.
Nevertheless, investigators have shown their ability to track funds on-chain using advanced tracing tools. “Økokrim is good at following money,” Bender said per translation in today’s announcement. “This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods.”