North Korean Hackers Suspected to be Behind $100M Horizon Bridge Hack

The notorious North Korea-backed hacking collective Lazarus
Group is suspected to be behind the recent $100 million altcoin
theft from Harmony Horizon Bridge, citing similarities to the
Ronin bridge attack^[1]
in March 2022.

The finding comes as Harmony confirmed^[2]
that its Horizon Bridge, a platform^[3] that allows users to
move cryptocurrency across different blockchains, had been breached
last week.

The incident involved the exploiter carrying out multiple
transactions on June 23 that extracted tokens stored in the bridge
and subsequently made away with about $100 million in
cryptocurrency.

“The stolen crypto assets included Ether (ETH), Tether (USDT),
Wrapped Bitcoin (WBTC) and BNB,” blockchain analytics company
Elliptic said^[4]
in a new report. “The thief immediately used Uniswap – a
decentralized exchange (DEX) – to convert much of these assets into
a total of 85,837 ETH.”

Days later, on June 27, the culprit is said to have begun moving
funds amounting to $39 million through the Tornado Cash^[5] mixer service in an
attempt to obfuscate the ill-gotten gains and make it difficult to
trace the transaction trail back to the original theft.

Elliptic, which was able to “demix” the transactions, said it
was able to further track the stolen funds funneled through the
service to a number of new Ethereum wallets.

The company’s attribution to the Lazarus Group stems from the
threat actor’s history of carrying out cryptocurrency thefts,
including those targeting cross-chain bridges earlier this year,
and the manner in which the funds were stolen and subsequently
laundered.

“The theft was perpetrated by compromising the cryptographic
keys of a multi-signature wallet – likely through a social
engineering attack on Harmony team members,” it said. “Such
techniques have frequently been used^[6]
by the Lazarus Group.”

“The relatively short periods during which the stolen funds stop
being moved out of Tornado cash are consistent with [Asia-Pacific] nighttime hours,” Elliptic added. “Although no single factor proves
the involvement of Lazarus, in combination they suggest the group’s
involvement.”

Harmony has since notified all cryptocurrency exchanges and
involved law enforcement and blockchain forensic firms to help in
the recovery of stolen assets. It’s also offering “one final
opportunity” for the cyber thieves to send the funds back with
anonymity and “retain $10 million and return the remaining amount”
by July 4, 2022, 11 p.m. GMT.

On top of that, it has promised a $10 million reward for any
information that leads to the return of plundered virtual
currencies.

The Horizon Bridge digital heist also arrives against the
backdrop of a “crypto winter^[7]” that has witnessed a
steep decline in cryptocurrency markets, sending prices of Bitcoin
down below $20,000 and potentially risking a key source of income^[8] for the sanctions-hit
North Korea.

In a related development, Sky Mavis, developers of the popular
non-fungible token (NFT) video game Axie Infinity, announced^[9]
this week the official restart of the Ronin Bridge following three
different audits.

What’s more, the European Parliament and Council reached a
landmark agreement on Wednesday to force crypto providers to
provide identifying information on the originators and the
beneficiaries in a bid to enforce transparency of crypto-asset
transfers.

“This is what payment service providers currently do for wire
transfers,” the Council said^[10] in a press statement.
“This will ensure traceability of crypto asset transfers in order
to be able to better identify possible suspicious transactions and
block them.”