North Korean hackers known as Lazarus Group suspected in S$139m Harmony heist

Harmony confirmed that its Horizon Bridge had been hacked last week. PHOTO: ST FILE

(BLOOMBERG) - Suspected North Korean hackers known as the Lazarus Group are believed to be behind the recent US$100 million (S$139 million) heist on California blockchain Harmony, a firm that tracks stolen cryptocurrency said on Wednesday (June 29).

Harmony confirmed that its Horizon Bridge, a seamless layer which allows cryptocurrency to move across different blockchains, had been hacked last week.

Blockchain forensics company Elliptic Enterprises, which has been tracking Harmony's stolen cryptocurrency to identify who is moving it around the Web, said it believes the Lazarus Group was responsible because the laundering method bears their hallmarks.

In April, the United States Department of Homeland Security issued an alert saying the group was sponsored by the North Korean government, and that it has targeted crypto firms since 2020.

In this case, the hackers targeted username and password credentials of Harmony workers in Asia-Pacific to break into the bridge, Elliptic said.

While using automated laundering services, hackers moved the funds during Asia-Pacific nighttime hours. All of these are signatures of Lazarus' attack methods, Elliptic added.

As of Wednesday, the hacker has already sent 41 per cent of the US$100 million to a Tornado Cash mixer, according to Elliptic, a reference to the service used to hide the transaction trail.

The hack bore similarities to the recent US$600 million Ronin Bridge attack, which was attributed to Lazarus by the US Treasury Department, Elliptic said.

"There are strong indications that North Korea's Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds," Elliptic wrote in a blog published on Wednesday.

"Team members are working to gather wallet data and strategise plans based on the impact the Horizon bridge theft has caused on users," Horizon said on Twitter.

While remarkable for the sheer amount of stolen cryptocurrency, the Horizon attack highlighted a vulnerability in so-called cryptocurrency bridges, which have been seen as a solution to clunky inoperability of some blockchains and virtual currencies.

However recent hacks suggest bridges are more exposed to breaches as the technology running them is complex, making them a prime target for hackers.

The North Korean government has consistently denied any role in cyber-enabled theft.

Join ST's Telegram channel and get the latest breaking news delivered to you.