North Korean hackers linked to $100m Harmony theft

The Lazarus Group is believed to be behind the recent $100 million heist on California blockchain Harmony, with blockchain forensics company Elliptic Enterprises Ltd linking the North Korean hacking group with the incident.

Harmony has disclosed its Horizon Bridge, a seamless layer which allows cryptocurrency to move across different blockchains, had been hacked last week.

According to Elliptic Enterprises, a blockchain forensics firm that tracks stolen cryptocurrency, it believes the Lazarus Group was responsible because it appears the laundering method gave away their hallmarks. Elliptic Enterprises has been tracking Harmony's stolen cryptocurrency to identify who is moving it around the web.

The US Department of Homeland Security issued an alert saying the group was sponsored by the North Korean government in April, according to Bloomberg, and that it has targeted crypto firms since 2020.

To break into the bridge, Elliptic Enterprises further explained that the hackers targeted username and password credentials of Harmony workers in Asia-Pacific this time around. The hackers then moved the funds during Asia-Pacific night-time hours while using automated laundering services, trademarks of Lazarus' attack methods, Elliptic Enterprises added.

The hacker had sent 41 per cent of the $100 million to a Tornado Cash mixer, a reference to the service used to hide the transaction trail. Elliptic Enterprises added that this hack is very similar to the $600 million Ronin Bridge attack, which was attributed to Lazarus by the US Treasury Department.

"There are strong indications that North Korea's Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds," Elliptic Enterprises stated on their blog.

The Horizon attack highlights a vulnerability in so-called cryptocurrency bridges, which have been seen as a solution to clunky inoperability of some blockchains and virtual currencies. In contrast, recent hacks suggest the "bridges" are more exposed to breaches as the technology running them is complex, making them a prime target for hackers.

The North Korean government has consistently denied any role in cyber-enabled theft.