Security Experts:

North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist

The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data and research from blockchain analytics firm Elliptic.

The multi-million compromise, confirmed by Harmony earlier this month, led to the theft of ETH, BNB, USDT, USDC and Dai from the Horizon cross-chain bridge and now there’s evidence linking the heist to Lazarus, a hacking outfit linked to the North Korean government.

Elliptic, a London-based blockchain analysis firm, says the hackers have started moving funds through Tornado Cash, a mixer typically used to hide cryptocurrency transaction trails.

"The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer," Elliptic said on Friday.  "[We used our] Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets," the company added.

[ READ: U.S. Gov Blames North Korea Hackers for $600M Cryptocurrency Heist ]

Elliptic said there are "strong indications" that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. 

The Lazarus hackers have been linked to the theft of more than $2 billion in cryptocurrency assets from exchanges, and DeFi services.

The linking of Lazarus to this hack follows the U.S. government assessment in April that the North Koreans were responsible for a $600 million Ronin Validator cryptocurrency heist that is considered the second largest crypto theft of all time

The attribution was contained in a notice from the U.S. Treasury that announced sanctions against the Ethereum address that received the stolen funds.

[ READ: Hackers Steal Over $600M in Major Crypto Heist ]

According to new data from Elliptic, the thieves have already moved about $39 million through the Tornado mixer in an attempt to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange.

“The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group,” Elliptic said.

State-backed North Korean hacking groups have been actively targeting cryptobanks and cryptocurrency exchanges with malware attacks with the Lazarus team conducting APT attacks since at least 2017.   

The hacking teams in North Korea have also been seen targeting offensive security researchers and using a fake pen-test company in attacks that employ rich social engineering tactics.  The APT group has also been caught sharing zero-day exploits for modern web browsers.

Related: Google Warning: North Korean Gov Hackers Targeting Security Researchers

Related: North Korea Gov Hackers Caught Sharing Chrome Zero-Day

Related: North Korean Hackers Back With Fake Pen-Test Company

Related: The Curious Case of the $600 Million Crypto Heist

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.