Investigators at a blockchain analytics firm have linked the theft of $100 million worth of crypto assets last week to notorious North Korean cybercrime group Lazarus. The company said it tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten gains.
Blockchain startup Harmony announced on June 23 that its Horizon Bridge — a cross-chain bridge service used to transfer assets between Harmony’s blockchain and other blockchains — was under attack, damaging crypto assets including Ethereum, Wrapped Bitcoin, Binance Coin, and Tether were stolen.
According to blockchain analysis firm Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers say is a common method used by hackers to prevent the stolen assets from being seized.
Days later, the thief began moving the Ethereum into Tornado Cash, a blender used to launder stolen assets. As of June 29, the attacker had moved about 35,000 Ethereum — roughly $39 million — to Tornado Cash and the process continues, Elliptic researchers wrote in a blog entry.
“By sending these funds via Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to withdraw funds on an exchange,” they wrote.
Using proprietary Tornado demixing methods, Elliptic researchers were able to trace the stolen funds through Tornado Cash to multiple new Ethereum wallets. They also suggested that other exchanges and crypto companies could use Elliptic’s transaction screening software to determine if incoming funds came from the Horizon Bridge hack.
Their analysis of the attack revealed a combination of factors that the company said indicated the Lazarus group was involved. The gang has stolen more than $2 billion through multiple cryptocurrency thefts and has recently focused on distributed finance (DeFi) services such as cross-chain bridges. Lazarus is suspected of being behind the heist of at least $540 million in a hack last month of Ronin Bridge, an Ethereum-based network that powers Axie Infinity, a blockchain video game.
There were similarities between the Horizon and Ronin bridge attacks, including an automated deposit process in Tornado.
Also the US Treasury Department identified Lazarus – also known as AppleWorm, APT-C-26 and Hidden Cobra, among others – as the likely culprit behind the Ronin bridge breach and announced new sanctions against a Lazarus Ethereum wallet.
The researchers also determined that the Horizon Bridge attack was carried out through compromised encryption keys of a multi-signature wallet, likely via a socially engineered attack on Harmony employees, and that many members of the core team at Harmony, based in The U.S. has ties to the Asia-Pacific region, and that the times the stolen funds were not removed from Tornado Cash coincide with nighttime hours in that region.
All of these indicators point the finger at Lazarus, they wrote.
In your latest update This week, Harmony officials wrote that a “global manhunt for the criminal(s) is underway, all exchanges have been notified, and that law enforcement and Harmony partners Chainalysis and AnChainAI are investigating.
They also reiterated the July 4 deadline for the hackers to return the crypto assets anonymously and keep $10 million of them. At the same time, the company posted a $10 million bounty on its head for information leading to the return of the funds and the arrest of the hackers.
Three US agencies issued an alert in April about Lazarus’ growing interest in the cryptocurrency market, which the gang has been targeting since at least 2020, and last year sent an alert about Lazarus’ AppleJeus malware, which was used to steal cryptocurrency.
North Korean Hacker Groups Target Crypto
Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training company, said The registry that North Korean hacking groups have long targeted traditional financial funds and are now targeting cryptocurrencies. A major reason is that once an attack has taken place, it is difficult to reverse the situation.
“With traditional finance, if someone steals something of value, it’s pretty easy to identify the theft, reverse the transaction, and recover the victim,” Grimes said.
“Cryptocurrencies are more like bearer bonds. The bearer debenture holder is the “rightful” owner of the debentures and their associated value, even if they have been stolen. Most cryptocurrencies and their associated blockchains have no mechanism for reversing a transfer of value, even if that transfer was illegal or unethical in every conceivable way. The thief can just laugh in everyone’s face and say, ‘Sorry about your bad luck.’”
Given the large number of scams and thefts related to cryptocurrency and other DeFi projects, many of these groups are working on ways to reverse or limit the damage done by thefts and scams. However, it is not easy, he said.
“Many in the cryptocurrency and DeFi industries are fighting these new methods of reversal because they make transactions appear more regulated and closer to regular currencies and banks, which much of the online industry inherently loathes,” Grimes said. “No matter how long the cryptocurrency and DeFi industry battles increasing regulation, thieves like this North Korean hacking group will continue to benefit.”
However, increased regulation and oversight will likely be required as the number of people participating will not increase significantly as long as they can be robbed without recourse. ®