Elliptic Suggests North Korea’s Lazarus Group Behind $100m Cryptocurrency Theft
Last week, blockchain analytics company Elliptic released an advisory suggesting that North Korea’s Lazarus Group may be responsible for the recent $100 million theft from cryptocurrency firm Harmony. The security experts confirmed Harmony’s initial claims that the funds were stolen through Horizon Bridge, a platform that facilitates the transfer of cryptocurrency across blockchains.
Stolen Crypto-Assets
The stolen crypto-assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB. According to Elliptic, the thief quickly converted a significant portion of these assets, totaling 85,837 ETH, using Uniswap—a decentralized exchange (DEX). This conversion is a common money laundering technique employed to evade detection and seizure of stolen assets.
Laundering Techniques
Elliptic tracked the ETH and discovered that the threat actors were moving the funds into Tornado Cash, a tool commonly used for laundering proceeds of crime. So far, over 35,000 Ether ($39 million) of the stolen funds have been sent to Tornado Cash, with the process ongoing. By utilizing Tornado Cash, the thief aims to obfuscate the transaction trail, making it easier to cash out the funds through an exchange.
Links to Lazarus Group
Despite efforts to conceal the stolen funds, Elliptic used demixing techniques to trace the assets back to new Ethereum wallets. The security researchers indicated that the hack and laundering activities align with the modus operandi of the Lazarus Group, a cybercrime organization with ties to North Korea. While the Lazarus connection cannot be definitively proven, various indicators point to the group’s involvement.
Clues and Indicators
One significant clue is the resemblance between the tactics employed in the Harmony attack and the $540 million hack of Ronin Bridge, which was eventually linked to North Korea. Additional indicators include the compromise of cryptographic keys in a multi-signature wallet, the targeting of APAC-based entities (despite Harmony being US-based, its team has APAC connections), and the use of automated processes to move funds into Tornado.
Monitoring and Updates
Elliptic stated that they will continue to monitor the movement of the stolen funds as the laundering process unfolds. They also pledged to update their tools to reflect the transfer of these assets. The company remains vigilant in tracking the stolen cryptocurrency and identifying potential links to the Lazarus Group.