Harmony attackers transferred over 18,000 ETH to three addresses, most of which was subsequently transferred to Tornado Cash in batches of 100 ETH. The attacker’s wallet also contained 49,794 ETH. Elliptic appears to be a North Korean hack similar to the Ronin hack.
Lazarus Group is the top suspect
On the morning of June 24th, over $100 million in cryptoassets was stolen from Horizon Bridge – a service that allows assets to be transferred between the Harmony blockchain and other blockchains.
The stolen cryptoassets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB. The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH. This is a common laundering technique used to avoid seizure of stolen assets.
The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen cryptoassets into the Tornado Cash mixer.
Mixers such as Tornado Cash are used to hide the transaction trail. However, Elliptic has used its Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets. Users of Elliptic’s solutions can now screen wallets and transactions for links to the stolen funds – even those that have passed through Tornado.
According to the analysis of Elliptic, it is consistent with the activities of Lazarus Group – a cybercrime group with close links to North Korea.
- The Lazarus Group has perpetrated several large cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi services such as cross-chain bridges. For example, the group is believed to be behind the $540 million hack of Ronin Bridge.
- The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.
- Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons. Although Harmony is based in the US, many of the core team have links to the APAC region.
- The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.
- The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with APAC nighttime hours.
The stolen funds as the laundering progresses, and will update its tools to reflect the movement of these assets.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews