North Korean hackers who last month carried out one of the largest cryptocurrency thefts ever are still laundering their haul more than a week after they were identified as the thieves.

The cybercriminals' continued access to the money, more than $600 million stolen from the Axie Infinity video game, underscores the limits of law enforcement's ability to stop the flow of illicit cryptocurrency across the globe. The hackers are still moving their loot, most recently about $4.5 million worth of the Ethereum currency on Friday, according to data from cryptocurrency tracking site Etherscan - eight days after the Treasury Department attempted to freeze those assets by sanctioning the digital wallet the group used in its attack.

The gang, which the Treasury Department identified as the Lazarus Group, also known for the 2014 hacking of Sony Pictures, so far has laundered nearly $100 million - about 17 percent - of the stolen crypto, according to blockchain analytics firm Elliptic. They moved their haul beyond the immediate reach of U.S. authorities by converting it into the cryptocurrency Ethereum, which unlike the cryptocurrency they stole cannot be hobbled remotely. Since then, the gang has worked to obscure the crypto's origins primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that pools digital assets to hide their owners.

Authorities and major crypto industry players are scrambling to keep up. Treasury sanctioned three more addresses associated with the gang on Friday, as Binance, a large international crypto exchange, announced it had frozen $5.8 million worth of crypto the hackers had transferred onto its platform.

The high-stakes cat-and-mouse game unfolding between law enforcement and the North Korean hackers is another example of how criminals have learned to target the growing crypto economy's weak points. They exploit faulty code in decentralized crypto platforms, use tools that help them hide their tracks such as converting assets to privacy-enhancing cryptocurrencies like Monero, and take advantage of spotty law enforcement coordination across international borders.

The North Korean case also trains a spotlight on a crypto industry eager to demonstrate its trustworthiness to regulators, investors and customers, while retaining crypto's freewheeling ethos. Some of the largest companies in the sector say they welcome government oversight and tout their investments in internal compliance programs.

Yet a review by The Washington Post of crypto accounts sanctioned by the Treasury Department over the last year-and-a-half found four wallets that remained free to transact months after being placed on the administration's blacklist. The apparent lapses are owed to flawed or incomplete compliance programs by Tether and Centre Consortium, a pair of companies involved in issuing so-called stablecoins, a type of cryptocurrency whose value is pegged to an external asset, typically the dollar.

"We're at a particularly important moment: Everyone is still learning what's possible and how attacks might occur, and the borderless nature of crypto makes it difficult to enforce standards globally," said Chris DePow, a compliance official at Elliptic. "These are people acting all over the world. Even if you enforce very well in one jurisdiction, if there are other jurisdictions with weaker enforcement, you're still going to end up with a problem."