Infamous North Korean hackers suspected of $100 million Harmony hack, experts say

    05 Jul 2022
    1,554 Views

    North Korean hackers are most likely behind an attack last week that stole as much as $100 million in cryptocurrency from a US company, digital investigative firms have concluded. Analysis suggests the hack is the work of the Lazarus Group, the Pyongyang-backed group behind a similar $622 million hack of Axie Infinity.

    Following hackers recent stealing $100 million worth in crypto from Harmony Protocol, the team behind the project offered a $1 million reward for information about the attacker.

    A week later, blockchain analytics firm Elliptic reported the manner in which the funds were stolen and then laundered points to the involvement of The Lazarus Group, a notorious North Korea-affiliated cybercriminal organization.

    Back in April, the FBI accused Lazarus, a “state-sponsored hacking organization,” in the $622 million hack of a cross-chain bridge used by the play-to-earn game Axie Infinity. Cross-chain bridges connect blockchains and are often used to link sidechains (like Axie’s Ethereum sidechain Ronin), which can offer speed and lower transaction fees before passing work back to more secure blockchains like the Ethereum mainnet.

    Similarly, Harmony’s hack occurred on the Horizon bridge, a cross-chain bridge connecting Harmony to Ethereum, Binance Chain, and Bitcoin. Elliptic’s report notes the similarities between both cross-chain bridge attacks as one indication of Lazarus’ likely involvement.

    The attack via social engineering also alludes to previous Lazarus hacks. The Harmony attack additionally echoes the Axie Infinity hack in that stolen funds have been laundered in a pattern implying automated transfers.

    “Although no single factor proves the involvement of Lazarus, in combination, they suggest the group’s involvement,” the report said.

    Regarding other factors, as many Harmony team members have ties to the Asia Pacific region, Lazarus also tends to go after Asia-based targets, potentially due to the languages used. Moreover, the only times the hackers have stopped offloading laundered funds are consistent with nighttime hours in the Asia Pacific region.

    So far, the funds have been laundered through the mixing service Tornado Cash, which allows users to pool significant amounts of cryptocurrencies and swap them for different coins, a process that obfuscates transaction trails and is commonly used to launder stolen tokens.

    Elliptic was able to “demix” the trails of the Harmony hackers’ Tornado Cash transactions in this case and has traced the stolen funds to a number of new Ethereum wallets.

    While exchanges and businesses could potentially use this information to ensure they don’t accept any of stolen funds, the information provides no means for Harmony to recover them.

    Leave a Reply

    Your email address will not be published. Required fields are marked *