Lazarus Group accused of stealing $100 million Harmony crypto • The Register
Investigators from a blockchain analysis team have linked the theft of $100 million worth of crypto assets last week to notorious North Korean cybercrime group Lazarus. The company said it tracked the movement of some of the stolen cryptocurrency to a so-called blender used to launder those ill-gotten funds.
Blockchain startup Harmony announced on June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony’s blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin and Tether stolen.
According to blockchain analytics firm Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets to 85,837 Ethereum, which researchers say is a common method used by cryptocurrencies. hackers to prevent stolen assets from being seized.
A few days later, the thief began moving Ethereum into Tornado Cash, a mixer used to launder stolen assets. As of June 29, the attacker had moved approximately 35,000 Ethereum — about $39 million — to Tornado Cash and the process is ongoing, Elliptic researchers wrote in a blog post.
“By sending these funds through Tornado, the thief attempts to break the transaction trail back to the original theft. This makes it easier to cash out the funds on an exchange,” they wrote.
Using the company’s own Tornado unmixing methods, Elliptic researchers were able to trace funds stolen via Tornado Cash to several new Ethereum wallets. They also suggested that other exchanges and crypto firms could use Elliptic’s transaction filtering software to detect if any incoming funds came from the Horizon Bridge hack.
Their analysis of the attack found that a combination of factors the company said indicated the Lazarus Group was involved. The gang has stolen over $2 billion through multiple cryptocurrency thefts and recently started focusing on distributed finance (DeFi) services like cross-chain bridges. Lazarus is believed to be behind the heist of at least $540 million in a hack last month of Ronin Bridge, an Ethereum-based network that supports Axie Infinity, a blockchain video game.
There were similarities between the Horizon and Ronin bridge attacks, including an automated process for deposits in Tornado.
The US Treasury Department also identified Lazarus – also known as AppleWorm, APT-C-26 and Hidden Cobra, among other aliases – as the likely perpetrator of the Ronin Bridge breach and announced new sanctions against a Lazarus Ethereum wallet.
The researchers also noted that the Horizon Bridge attack was carried out using compromised encryption keys from a multi-signature wallet that likely originated from a social engineering attack on Harmony employees, that many members of Harmony’s US-based core team had ties to Asia. – Pacific region, and that the times when the stolen funds were not released from Tornado Cash correspond to the night hours in this region.
All of these indicators point to Lazarus, they wrote.
In their latest update this week, Harmony officials wrote that a “global manhunt for the criminal(s)” is underway, that all exchanges have been notified, and that the law enforcement and partners Harmony Chainalysis and AnChainAI are investigating.
They also reaffirmed the July 4 deadline for hackers to return crypto assets anonymously and keep $10 million. At the same time, the company has put a $10 million bounty on information that leads to the return of funds and the arrest of hackers.
In April, three US agencies issued an alert about Lazarus’ growing interest in the cryptocurrency market, which the gang has targeted for at least 2020, and last year issued a warning about AppleJeus malware. Lazarus which was used to steal cryptocurrency.
North Korean Hacking Groups Targeting Crypto
Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4, said The register that North Korean hacking groups have long targeted traditional financial funds and are now eyeing cryptocurrencies. One of the main reasons is that it is difficult to reverse the situation when an attack has occurred.
“With traditional finance, if someone steals something of value, it’s pretty easy to identify the theft, reverse the transaction, and restore the victim,” Grimes said.
“Cryptocurrencies are more like bearer bonds. The holder of bearer bonds is the “rightful” owner of the bonds and their associated value, even if they have been stolen. Most cryptocurrencies and their chains associated blocks don’t have a mechanism to undo a transfer of value, even if that transfer was illegal or unethical in every way imaginable. The thief can just laugh in everyone’s face and say, “Sorry for your bad luck.
Given the large number of scams and thefts involving cryptocurrency and other DeFi projects, many of these groups are working on ways to reverse or limit the damage caused by theft and scams. However, it’s not easy, he says.
“Many within the cryptocurrency and DeFi industries are fighting against these new methods of reversal, as they begin to make transactions more regulated and closer to regular currency and banks, which much of the online industry inherently hates it,” Grimes said. “As long as the cryptocurrency and DeFi industry fights increasing regulation, thieves like this North Korean hacking group will continue to profit.”
That said, more regulation and oversight will likely be needed as the number of people participating won’t increase significantly as long as they can be robbed without recourse. ®