The Lazarus Group – a North Korean hacking group believed to be supported by the Kim regime – is likely behind last week’s hack of Harmony Bridge, according to new analysis by blockchain research firm Elliptic.
The attack drained the service, which enables crypto assets to be traded between the Harmony blockchain and other blockchains, of $100 million worth of crypto, including ether (ETH), tether (USDT) and wrapped bitcoin (wBTC) on the morning of June 24.
North Korean hackers have grown increasingly sophisticated; in 2021 they stole an estimated $400 million, mostly in ether. The total for 2022 has already far surpassed that figure.
According to Elliptic, the attackers converted the stolen assets to 85,837 ETH following the hack and, beginning on June 27, began to send some of the ETH through Tornado Cash, a mixer commonly used to launder illegally obtained crypto. So far, approximately 35,000 ETH – 41% of the total funds stolen – have been sent to Tornado Cash.
The Harmony Bridge hack is consistent with other hacks attributed to the Lazarus Group, including the $635 million Ronin Bridge hack in March, which was possibly the largest hack in the history of decentralized finance (DeFi).
Elliptic’s analysis also highlights other factors in the Harmony Bridge hack that point to the Lazarus Group, including the automated deposits into Tornado Cash that mimic programmatic laundering of the Ronin Bridge funds, as well as the timing of the theft, which correlates with Asia-Pacific (APAC) nighttime hours.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.