North Korean Hackers Behind $100M Horizon Hack

According to the FBI’s announcement on Monday, the North Korean hacker group Lazarus Group carried out the $100 million Harmony Protocol attack last June.

Six months after the crime, on January 13, more than $60 million in ETH was recovered. This made it possible for the law enforcement agency to positively identify APT38, another North Korean cyber cell, and the Lazarus Group as the perpetrators of the crime.

The hackers attempted to hide their transactions by utilizing the privacy protocol RAILGUN. Even when the hackers tried to trade the money for Bitcoin, exchanges subsequently seized and retrieved some of the assets. Unrecoverable money was then transferred to 11 Ethereum addresses.

In accordance with the release, the FBI and its partner agencies would “continue to detect and disrupt North Korea’s theft and laundering of virtual currency, which is utilized to finance North Korea’s ballistic missile and Weapons of Mass Destruction programs.”

Blockchain experts connected the vulnerability used in the June Harmony attack to the Lazarus Group using a mix of on-chain investigation and parallels to earlier hacks carried out by the group. 

The Lazarus Group has long been a source of concern for the American government. Still, up until today, the organization had not been formally charged with being behind the Harmony breach.

The cross-chain bridge linking Harmony, a layer-1 blockchain, to Ethereum, Bitcoin, and Binance Chain was the target of the breach. The tactic is reminiscent of other assaults connected to Lazarus Group, such as the $622 million breach of the Ronin Network, an Ethereum sidechain utilized by the play-to-earn game Axie Infinity, that occurred in April.

The Lazarus Group and APT38 are two North Korean hacking gangs that have stolen an estimated $1.2 billion worth of cryptocurrencies since 2017.

“The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime,” the announcement read.

Cyber organizations linked to North Korea are apparently doing more than just hacking. According to a study published in late December, the Lazarus Group also poses as banks, possible employers, and venture investors.

“Intrusions begin with a large number of spear phishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on various communication platforms,” according to a federal cybersecurity alert issued last April. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”

The American government has targeted coin-mixing services, which enable users to conceal the normally transparent traces of crypto transactions in reaction to these crypto-focused attacks. 

The Treasury Department outlawed Ethereum coin mixer Tornado Cash and multiple wallet addresses linked to it in August, citing the Lazarus Group’s use of the service to launder money from earlier attacks as the reason for the move.

In cryptocurrency, the action was roundly criticized as an unlawful overreach that unnecessarily endangered user privacy. The restriction is being contested in a current lawsuit led by cryptocurrency policy NGO Coin Center.