North Korea suspected to be behind the $100m Harmony hack

Updated on: 30 June 2022

Vilius Petkauskas
Deputy Editor

Image by Shutterstock.

Lazarus Group hackers were likely responsible for stealing $100m worth of crypto via Harmony's Horizon bridge. The same group stole $620 million worth of crypto from the Ronin exchange in March.

Two days after Harmony, a California-based company, offered to pay a $1 million bounty for the return of Horizon bridge funds, researchers announced they'd found the culprits responsible for the $100 million hack.

An analysis of how the funds were stolen and later laundered points to state-sponsored hackers from North Korea, the Lazarus Group, blockchain analytics firm Elliptic claims. The same hackers have been on a spree, netting over $2 billion in crypto assets.

Researchers managed to demix a knot of transactions hackers made using the Tornado Cash mixer. Following the money trail allowed analysts to trace how the stolen crypto traveled through various wallets and exchanges.

"By sending these funds through Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange," reads the report.

While there's no smoking gun pointing directly to North Korean hackers, details of the attack and the way money was laundered match the modus operandi of the Lazarus Group.

According to the report, the hack was completed by compromising the cryptographic keys of a multisig wallet, a common tactic by the suspected hackers.

Researchers claim that 'the regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used.'

Similar laundering tactics were used with funds stolen from the Ronin exchange, a $620m hack the FBI recently attributed to the Lazarus Group.

The Elliptic report adds that the funds were being moved at times consistent with the Asia-Pacific (APAC) working hours, at least indicating that the hackers likely operated from Asia.

The regularity of the deposits into Tornado over extended periods of time suggests that an automated process, also seen in the Ronin hack, was used.

"Although no single factor proves the involvement of Lazarus, in combination, they suggest the group's involvement," reads the report.

Other researchers also point to North Korean hackers as the likeliest culprits behind the heist. Reuters reports that Chainalysis, a blockchain firm working with Harmony to investigate the attack, claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

"Preliminarily, this looks like a North Korean hack based on transaction behavior," Nick Carlsen, a former FBI analyst who now investigates North Korea's cryptocurrency heists for TRM Labs, a US-based firm, told Reuters.

"Although no single factor proves the involvement of Lazarus, in combination, they suggest the group's involvement,"
claims a report by Elliptic.

North Korean hackers

North Korea employs cybercrime to finance its dictatorship, which runs a country mostly closed off from the outside world.

While Lazarus Group, also known as 'Un-usual Suspects' or APT 38, is almost certainly a state-sponsored actor, its primary goals are financial. Hacker groups operated by state intelligent services often focus more on intelligence.

According to Chainalysis, North Korea launched at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year.

A United Nations panel of experts monitoring North Korea's sanctions has accused Pyongyang of using stolen funds to support its nuclear and ballistic missile programs to circumvent sanctions.

Last year the United States charged three North Korean computer programmers working for the country's intelligence service with a massive, years-long hacking spree to steal more than $1.3 billion in money and cryptocurrency, affecting companies from banks to Hollywood movie studios.

Reports by cybersecurity firm Mandiant show that North Korea aims to expand its profitable operation, setting up new hacker groups. The recently formed Bureau 325 has quickly risen to prominence to become North Korea's "Swiss army knife" cybercriminal gang.