North Korea’s Lazarus Group Linked to $100M Harmony Bridge Hack

North Korea’s notorious state-backed hackers, Lazarus Group, may have been behind last week’s $100M attack targeting Harmony’s cross-chain bridge, according to blockchain intelligence firm, Elliptic.

On June 23, Harmony, a Layer 1 blockchain, reported that a hacker had stolen nine-figures worth of assets from its cross-chain Horizon bridge, which enables assets to move between Harmony and the Ethereum and Binance Smart Chain networks. Cross-chain bridges have been a prime target for exploits.

Transaction Flow

The perpetrator took a dozen different assets and quickly consolidated the loot into Ethereum using the Uniswap decentralized exchange. They then began using the blockchain mixer Tornado Cash to obfuscate and anonymize the transaction flow of many of the stolen assets from June 27.

On June 29, Elliptic published findings after using its Tornado Cash “demixing capability” to trace the movement of funds sent through Tornado by the hacker.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft based on the nature of the hack and the subsequent laundering of the stolen funds,” the firm asserted.

Harmony Hit by $100M Hack in Latest Exploit of Cross-Chain Bridges

Harmony Hit by $100M Hack in Latest Exploit of Cross-Chain Bridges

Effort Under Way to Identify Hacker as Harmony Halts Horizon Bridge

The Defiant

Lazarus is believed to have stolen over $2B in crypto assets from exchanges and DeFi services. The group became interested in cryptocurrency in 2017 when it began targeting South Korean centralized exchanges, but it is believed Lazarus has recently pivoted to focus on exploiting cross-chain bridges.

In April, the U.S. Treasury Department sanctioned an Ethereum wallet involved in the roughly $615M attack targeting Axie Infinity’s Ronin Bridge in March — the largest exploit in the history of DeFi — asserting the wallet is associated with Lazarus. Like Harmony’s Horizon bridge, Ronin was secured by a simple multi-signature account.

Previous Operations

Elliptic identified extremely regular deposits to Tornado after the Harmony attack indicative of an automated process, concluding the movement of assets was very similar to the “programmatic laundering of funds stolen from the Ronin Bridge.” It noted the funds were also moved during night-time hours in the Asian-Pacfic region, which is also consistent with Lazarus’ previous operations.

On June 30, Harmony posted a Twitter thread making a final appeal to the perpetrator of the $100M hack to return 90% of the stolen funds by 11 PM GMT on July 4 in exchange for all ongoing investigations being dropped.

“Harmony has begun a global manhunt for the criminal(s) who stole $100M from the Horizon bridge,” the firm said. “All exchanges have been notified. Law enforcement, Chainalysis, and AnChainAI have active investigations to identify the responsible actors and recover the stolen assets. We are providing one FINAL opportunity for the actor(s) to return stolen assets with anonymity.”

Harmony also addressed associates of the thieves, stating it will pay $10M in exchange for information leading to the return of the stolen funds.

Manhunt

The offer has been met with skepticism on social media, with commenters highlighting that the hackers are unlikely to accept Harmony’s offer if the attack was executed by Lazarus as Elliptic’s analysis suggests.

AswinAdam2 tweeted “if it’s the North Korean group that conducted the attack as mentioned in the media then it’s better to just move on.” Skenforceone added “I’m pretty sure a manhunt for someone inside North Korea is futile.”