The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data and research from blockchain analytics firm Elliptic.
The multi-million compromise, confirmed by Harmony earlier this month, led to the theft of ETH, BNB, USDT, USDC and Dai from the Horizon cross-chain bridge and now there’s evidence linking the heist to Lazarus, a hacking outfit linked to the North Korean government.
Elliptic, a London-based blockchain analysis firm, says the hackers have started moving funds through Tornado Cash, a mixer typically used to hide cryptocurrency transaction trails.
“The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer,” Elliptic said on Friday. “[We used our] Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets,” the company added.
Elliptic said there are “strong indications” that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds.
The Lazarus hackers have been linked to the theft of more than $2 billion in cryptocurrency assets from exchanges, and DeFi services.
The linking of Lazarus to this hack follows the U.S. government assessment in April that the North Koreans were responsible for a $600 million Ronin Validator cryptocurrency heist that is considered the second largest crypto theft of all time
The attribution was contained in a notice from the U.S. Treasury that announced sanctions against the Ethereum address that received the stolen funds.
According to new data from Elliptic, the thieves have already moved about $39 million through the Tornado mixer in an attempt to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange.
“The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group,” Elliptic said.
State-backed North Korean hacking groups have been actively targeting cryptobanks and cryptocurrency exchanges with malware attacks with the Lazarus team conducting APT attacks since at least 2017.
The hacking teams in North Korea have also been seen targeting offensive security researchers and using a fake pen-test company in attacks that employ rich social engineering tactics. The APT group has also been caught sharing zero-day exploits for modern web browsers.