The notorious North Korea-backed hacking collective Lazarus Group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022.
The incident involved the exploiter carrying out multiple transactions on June 23 that extracted tokens stored in the bridge and subsequently made away with about $100 million in cryptocurrency.
“The stolen crypto assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB,” blockchain analytics company Elliptic said in a new report. “The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH.”
Days later, on June 27, the culprit is said to have begun moving funds amounting to $39 million through the Tornado Cash mixer service in an attempt to obfuscate the ill-gotten gains and make it difficult to trace the transaction trail back to the original theft.
Elliptic, which was able to “demix” the transactions, said it was in a position to further track the stolen funds funneled through the service to a number of new Ethereum wallets.
The company’s attribution to the Lazarus Group stems from the threat actor’s history of carrying out cryptocurrency thefts, including those targeting cross-chain bridges earlier this year, and the manner in which the funds were stolen and subsequently laundered.
“The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members,” it said. “Such techniques have frequently been used by the Lazarus Group.”
“The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with [Asia-Pacific] nighttime hours,” Elliptic added. “Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement.”
Harmony has since notified all cryptocurrency exchanges and involved law enforcement and blockchain forensic firms to help in the recovery of stolen assets. It’s also offering “one final opportunity” for the cyber thieves to send the funds back with anonymity and “retain $10 million and return the remaining amount” by July 4, 2022, 11 p.m. GMT.
On top of that, it has promised a $10 million reward for any information that leads to the return of plundered virtual currencies.
The Horizon Bridge digital heist also arrives against the backdrop of a “crypto winter” that has witnessed a steep decline in cryptocurrency markets, sending prices of Bitcoin down below $20,000 and potentially risking a key source of income for the sanctions-hit North Korea.
In a related development, Sky Mavis, developers of the popular non-fungible token (NFT) video game Axie Infinity, announced this week the official restart of the Ronin Bridge following three different audits.
What’s more, the European Parliament and Council reached a landmark agreement on Wednesday to force crypto platforms to provide identifying information on the originators and the beneficiaries in a bid to enforce transparency of crypto-asset transfers.
“This is what payment service providers currently do for wire transfers,” the Council said in a press statement. “This will ensure traceability of crypto asset transfers in order to be able to better identify possible suspicious transactions and block them.”