North Korean Cybercrime Group Allegedly Connected to $100 Million Harmony Hack

Lazarus Group, the infamous North Korean cybercrime gang, is believed to be connected to the recent $100 million crypto hack that hit Harmony Horizon Bridge. The attack is very similar to the Axie Infinity Sidechain Ronin attack the gang carried out in March.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” says blockchain analytics company Elliptic. “Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services.”

In the Horizon Bridge attack, confirmed by blockchain platform Harmony, perpetrators carried out several transactions to extract bridge-stored tokens worth more than $100 million on June 23. The stolen funds consisted of several altcoins such as Ether (ETH), BNB, Wrapped Bitcoin (WBTC) and Tether (USDT).

After stealing the crypto assets, threat actors promptly converted the bulk of them into 85,837 ETH through the decentralized exchange (DEX) platform Uniswap.

On June 27, perpetrators attempted to mystify a part of the stolen assets (roughly $39 million) via Tornado Cash tumbler service. Elliptic managed to de-obfuscate the transactions and tracked them to various new Ethereum wallets.

Although there’s no direct evidence to incriminate the group, Elliptic cites similarities to Lazarus Group’s previous crypto hacks and stealing and laundering methods.

“The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members,” says Elliptic. “Such techniques have frequently been used by the Lazarus Group.”

After disclosing the attack, Harmony notified other cryptocurrency exchanges and sought from the help of law enforcement agencies and blockchain analytics companies to recover the stolen funds. The company is also offering a $1 million bounty for returning the stolen assets and sharing details about the exploit leveraged by the perpetrators.