The North Korean group Lazarus is likely behind the Harmony Horizon bridge hack, responsible for stealing $100M.
Image Source : Cryptonary
A common laundering technique by criminals
The hacker stole $100 million in assets in different cryptocurrencies such as ETH, WBTC, USDT and BNB. But they immediately converted everything into ETH using Uniswap (UNI).
Acoording to Elliptics, it is a common laundering technique used by criminals.
Although the theft took place on June 24, the hacker did not move the funds until June 27. The hackers moved about 41 percent of the funds, or about 39,000 ETH, via Tornado Cash to make the funds untraceable at the time of publication.
By sending these funds through Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange, reads the report.
According to the blockchain analysis company, its analysis of the hacking and laundering shows that it is consistent with the operation of the Lazarus group.
While there is no smoking gun pointing directly to the North Korean hackers, the details of the attack and the way the money was laundered are consistent with the group.
In addition, the hacker compromised the keys to a multi-signature wallet to perpetrate the theft, which is consistent with the methods used by the Lazarus Group.
Who is Lazarus Group?
The Lazarus Group has been a scourge for over 10 years. The group is responsible for some of the world’s largest cyberattacks such as the Sony Pictures attack in 2014 and the spread of the WannaCry ransomware in 2017.
Unlike other state actors, Lazarus is highly motivated financially and is attempting to stimulate the weak North Korean economy.
Thanks to government support and instigation, North Korean threat actors are not at risk of prosecution in their home countries, quite the contrary. As a result, it is very likely that the Lazarus group will continue its activities in the coming years.
This group acts in the interest of their state. They typically engage in espionage, stealing sensitive information to benefit their home country politically or economically. Sometimes they engage in sabotage as part of larger military operations for national security or political purposes. They are rarely motivated by financial reasons, and this is where the North Korean threat group known as Lazarus differs from most other state actors: starting in 2009, it is robbing banks and hacking cryptocurrency exchanges to fill its state coffers.
Lazarus Group is one of the most successful crypto hacking groups in the world, with over $2 billion in revenue.
Like in the Ronin hack
Elliptic’s report adds that the funds were moved at times consistent with Asia-Pacific (APAC) business hours, indicating at least that the hackers were likely operating from Asia.
The regularity of deposits into Tornado over long periods of time suggests that an automated process, also seen in the Ronin hack, was used.
In recent years, Lazarus has started mining cross-chain bridges and was responsible for the Ronin bridge that cost Axie Infinity about $620 million.
While no single factor proves Lazarus’ involvement, their combination suggests the group’s involvement, the report reads.
Other researchers also point to North Korean hackers as the most likely culprits in the theft. Reuters reports that Chainalysis, a blockchain company working with Harmony to investigate the attack, says the style of attack is similar to previous attacks attributed to North Korean-linked actors.
Preliminarily, it looks like a North Korean hack based on the behavior of the transactions,” Nick Carlsen, a former FBI analyst who now investigates North Korean cryptocurrency heists for U.S.-based TRM Labs, told Reuters.