North Korean Lazarus hackers linked to $100M Harmony bridge theft

Researchers have linked Lazarus Group, a notorious North Korean state-backed hacking group, to the theft of $100 million in crypto assets from Harmony’s Horizon Bridge.

Last week, U.S. crypto startup Harmony warned of a “malicious attack” on its Horizon Bridge, a cross-chain bridge that allows users to transfer their crypto assets from one blockchain to another. The attacker stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin and Dai.

London-based blockchain analysis provider Elliptic, which has published an analysis of the attack, writes that the hackers converted the stolen assets to 85,837 ETH through Tornado Cash, a mixer commonly used to launder illegally obtained crypto. So far, the attacker has sent 35,000 ETH — worth $39 million, or about 41% of the total funds stolen — to Tornado Cash.

Chainalysis, another blockchain security firm that’s working with Harmony to investigate the hack, backed up Elliptic’s findings.

Elliptic linked the attack to Lazarus Group, saying the “hack and the subsequent laundering of the stolen crypto assets” is consistent with the activities of the North Korean hackers. It notes that while no single factor proves the involvement of Lazarus in the Horizon Bridge attack, the group has “perpetrated several large cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi [decentralized finance] services such as cross-chain bridges.”

In April, the U.S. Treasury Department linked the North Korea-backed hacking group to the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.

Elliptic notes that the attack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique commonly used by Lazarus Group, adding that the programming laundering of funds it observed following the Horizon Bridge hack was “very similar” to that seen following the Ronin Bridge attack.

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons,” Elliptic added, referring to the Asia-Pacific region. “Although Harmony is based in the US, many of the core team have links to the APAC region.”

In a series of tweets on Thursday, Harmony said that it has begun a “global manhunt” for the criminal(s) responsible for the $100 million theft. “All exchanges have been notified. Law enforcement, Chainalysis, and AnChainAI have active investigations to identify the responsible actors and recover the stolen assets,” it said. “We are providing one FINAL opportunity for the actor(s) to return stolen assets with anonymity.”

The company also offered the attacker a final ultimatum, pledging to drop its investigation if the funds were returned minus a $10 million bounty. Harmony is also offering $10 million for information leading to the safe return of the funds.

Subscribe to TechCrunch’s crypto newsletter “Chain Reaction” for news, funding updates and hot takes on the wild world of web3 — and take a listen to our companion podcast!