The FBI announced Monday that it concluded that the North Korean hacker organization Lazarus Group was behind the $100 million Harmony Protocol hack in June.
More than $60 million worth of ETH stolen during the heist was laundered on January 13th, six months after the fact. This allowed the investigative agency to confidently identify Lazarus and APT38 — another North Korean cyber group — as the architects of the crime.
The hackers used RAILGUN, a privacy protocol, in an attempt to hide your transactions. Even so, a portion of the funds were frozen and recovered through exchanges when hackers tried to exchange them for Bitcoin. Unrecovered funds were later sent to 11 Ethereum addresses.
The FBI and its investigative partners “will continue to identify and stop North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and weapons of mass destruction programs,” according to a statement. the communiqué.
Immediately following the June Harmony Hack, blockchain analysts linked the attack to Lazarus using a combination of on-chain investigations and comparisons with previous hacks authored by the group. Although the US government has previously spoken about the threat posed by the group, it has not formally charged the entity with responsibility for Hack Harmony until today.
The attack targeted a cross-chain bridge connecting Harmony, a layer-one blockchain, Ethereum, Bitcoin and Binance Chain. The strategy echoes previous Lazarus-linked attacks, including an April 2022 $622 million hack of the Ronin Network, an Ethereum sidechain used by play-to-earn crypto game Axie Infinity.
Since 2017, North Korean hacking groups, including Lazarus and APT38, have stolen an estimated $1.2 billion worth of cryptocurrencies, according to a Associated Press report.
“The FBI will continue to expose and combat the DPRK’s use of illicit activities — including cybercrime and theft of virtual currency — to generate revenue for the regime,” the announcement reads.
Cyber groups affiliated with North Korea are also said to have expanded their activities beyond hacking. In late December, a report claimed that Lazarus also pretends to be a group of venture capitalists, potential employers and even banks.
“Breaks begin with large numbers of spear phishing messages sent to employees of cryptocurrency companies — often working in systems administration or software development/IT operations (DevOps) — across a variety of communication platforms, not emails only,” according to a federal cybersecurity alert issued in April 2022. “Messages often mimic a recruiting action and offer high-paying jobs to entice recipients to download malware-laden cryptocurrency apps.”
In response to these crypto-focused attacks, the US government has targeted cryptocurrency scramble services: tools that allow users to obfuscate the public transaction trails of their crypto assets. In August, the treasury department deleted Ethereum Coin Mixer, Tornado Cash, and numerous wallet addresses associated with the service, citing their use by Lazarus to launder funds from previous hacks as justification for the action.
The move was widely criticized in the crypto community as an illegal excess that unnecessarily threatened users’ privacy. An ongoing lawsuit, led by non-profit cryptocurrency policy maker Coin Center, is challenging this ban.
*Translated by Gustavo Martins with permission from decrypt.
- Have you thought about inserting your business into the new digital economy? If you have a project, you can tokenize it. click heresign up for the Tokenize Your Idea program and enter the Web 3.0 universe!