North Korea's Lazarus Group Suspected of $100m Harmony Hack

Blockchain analytics company Elliptic suggested North Korea’s Lazarus Group may be behind last week’s $100m theft from cryptocurrency firm Harmony.

In an advisory released on Wednesday, the security experts confirmed Harmony’s initial claims that the funds had been stolen through Horizon Bridge, a platform enabling the transfer of cryptocurrency across blockchains.

“The stolen crypto-assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB,” reads the document.

“The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH. This is a common laundering technique used to avoid seizure of stolen assets.”

Elliptic reportedly tracked the ETH and found the threat actors started moving it into Tornado Cash – a tool that is often used to launder proceeds of crime. 

“So far, just over 35,000 Ether ($39 million) of the stolen funds has been sent to Tornado Cash, and the process is ongoing,” the security researchers wrote.

“By sending these funds through Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange.”

Despite these attempts, however, Elliptic said it managed to use Tornado demixing techniques to trace back the stolen funds to a number of new Ethereum wallets.

“Our analysis of the hack and the subsequent laundering of the stolen crypto-assets also indicates that it is consistent with activities of the Lazarus Group – a cybercrime group with strong links to North Korea.”

According to the cybersecurity experts, while the Lazarus link cannot be proven unequivocally, there are various indicators suggesting the group may be behind the hack.

One of them refers to similarities between the tactics behind the Harmony attack and the $540m hack of Ronin Bridge, which was eventually traced back to North Korea.

Additional clues linking the group to the Harmony hack include the fact that theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet, the choice of APAC-based targets (Harmony is based in the US, but many of the core team have links to the APAC region) and the apparent use of automated processes to move funds into Tornado.

“Elliptic will continue to monitor the stolen funds as the laundering progresses, and will update its tools to reflect the movement of these assets,” Elliptic concluded.

What’s Hot on Infosecurity Magazine?