Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony’s blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

Days later, the thief began moving the Ethereum into Tornado Cash, a mixer used to launder stolen assets. As of June 29, the attacker had moved about 35,000 Ethereum – about $39 million – to Tornado Cash and the process is continuing, Elliptic researchers wrote in a blog post.

“By sending these funds through Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange,” they wrote.

Using the company’s own Tornado de-mixing methods, the Elliptic researchers were able to trace the stolen funds through Tornado Cash to several new Ethereum wallets. They also suggested other exchanges and crypto businesses would be able to use Elliptic’s transaction screening software to detect if any incoming funds originated from the Horizon Bridge hack.

Their analysis of the attack found a combination of factors the company said indicated that the Lazarus Group was involved. The gang has stolen more than $2 billion through multiple cryptocurrency thefts and recently began focusing on distributed finance (DeFi) services like cross-chain bridges. Lazarus is suspected of being behind the heist of at least $540 million in a hack last month of Ronin Bridge, an Ethereum-based network that supports Axie Infinity, a blockchain video game.

There were similarities between the Horizon and Ronin bridges attacks, including an automated process of deposits into Tornado.

The US Treasury Department also identified Lazarus – also known as AppleWorm, APT-C-26, and Hidden Cobra, among other aliases – as the likely perpetrator behind the Ronin Bridge breach and announced new sanctions against a Lazarus Ethereum wallet.

The researchers also noted that the Horizon Bridge attack was done though compromised encryption keys of a multi-signature wallet that likely came via a social-engineering attack on Harmony employees, that many of the core team at US-based Harmony have links to the Asia-Pacific region, and that the times the stolen funds were not being moved out of Tornado Cash are consistent with nighttime hours in that region.

All those indicators point the finger at Lazarus, they wrote.

In their latest update this week, Harmony officials wrote that a “global manhunt for the criminal(s)” is under way, that all exchanges have been notified, and that law enforcement and Harmony partners Chainalysis and AnChainAI are investigating.

They also reaffirmed the July 4 deadline for the hackers to return the crypto assets anonymously and keeping $10 million of it. At the same time, the company put a $10 million bounty for information that leads to the funds being returned and the hackers arrested.

Three US agencies in April issued an alert about Lazarus’s growing interest in the cryptocurrency market, which the gang has targeted since at least 2020, and last year sent a warning about Lazarus’s AppleJeus malware that was used to steal cryptocurrency.

North Korean hacking groups targeting crypto

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4, told The Register that North Korean hacking groups have long targeted traditional finance funds and now are eyeing cryptocurrencies. A key reason is that it’s hard to reverse the situation when an attack has occurred.

“With traditional finance, if someone steals something of value, it’s fairly easy to identify the theft, reverse the transaction and make the victim whole again,” Grimes said.

“Cryptocurrencies are more like bearer bonds. The holder of bearer bonds is the ‘lawful’ owner of the bonds and their associated value even if they were stolen. Most cryptocurrencies and their related blockchains don’t have a mechanism for reversing a transfer of value even if that transfer was illegal or unethical in every conceivable way. The thief can just laugh in everyone’s face and say, ‘Sorry about your bad luck.'”

Given the large number of scams and thefts involving cryptocurrency and other DeFi projects, many of those groups are working on ways to reverse or limit the damage from theft and scams. However, it’s not easy, he said.

“Many within the cryptocurrency and DeFi industries are fighting these new methods of reversal because it begins to make the transactions more regulated-looking and closer to regular currency and banks, which much of the online industry inherently abhors,” Grimes said. “For however long the cryptocurrency and DeFi industry fights increasing regulation, thieves like this North Korean hacking group will continue to take advantage.”

That said, increased regulation and oversight likely will be required because the number of people participating won’t grow significantly as long as they can get robbed without recourse. ®