The recent $100 million theft from cryptocurrency firm Harmony has been confirmed by the US Federal Bureau of Investigation (FBI) to be the work of North Korea’s Lazarus Group and APT28. This revelation came after the FBI identified the cyber actors using the privacy protocol Railgun to launder over $60 million worth of Ethereum stolen during the heist.
In a blog post on Monday, the FBI disclosed that a portion of the stolen Ethereum was converted to bitcoin and sent to various virtual asset service providers. While some of these funds were frozen in cooperation with the service providers, the remaining Bitcoin was traced to 11 identified addresses.
The FBI’s Los Angeles and Charlotte offices are working to disrupt North Korea’s theft and laundering of virtual currency, which is believed to support the country’s ballistic missile and weapons of mass destruction programs.
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, noted that Lazarus is known for stealing cryptocurrency by exploiting machine identities. The compromise of Harmony’s private keys allowed Lazarus to decrypt data and siphon off funds, highlighting the importance of safeguarding machine identities.
Bocek also mentioned that research from Venafi has shown that North Korean threat groups often engage in financial cybercrime to support the regime’s survival and evade international sanctions. Companies operating in the cryptocurrency industry, with potential for financial gain, are at risk of being targeted by North Korean threat actors.
The suspicion that the Lazarus Group was involved in the Harmony hack was first raised by blockchain analytics company Elliptic shortly after the breach was disclosed. Additionally, the threat actors have been linked to exploiting a Dell driver vulnerability and orchestrating macOS malware infections.
The FBI’s confirmation of North Korea’s involvement in the Harmony theft underscores the ongoing threat posed by state-sponsored cyber actors in the cryptocurrency sector. As organizations continue to navigate the complex landscape of cybersecurity, protecting machine identities and staying vigilant against sophisticated threats will be crucial in safeguarding digital assets.