Elliptic: North Korean hackers may be behind Harmony hack

What’s new? Analysts at Elliptic said that the Lazarus Group hacker group from North Korea may be behind the Horizon bridge hack on the Harmony network. The exploit was carried out by compromising multi-signature wallet cryptographic keys, likely using social engineering techniques against members of the Harmony team. It is noted that this method was frequently used by the Lazarus hackers.

Elliptic’s blog

Investigation details. Elliptic has highlighted several other reasons indicating that a North Korean group may have been behind the hack. Lazarus tends to focus on targets in the Asia-Pacific region, perhaps for linguistic reasons. Although Harmony is based in the US, many members of the core team have ties to this region.

According to experts, the attackers have already sent more than 35 000 ETH ($39 million) through the Tornado Cash transaction mixer, which is about 41% of the funds stolen as a result of the exploit. Experts stressed that the transfer continues.

According to the analysts, the regularity of the transfers allows the use of automated software for these purposes. Experts observed a similar method during the laundering of funds stolen from the Ronin sidechain, which Lazarus hackers are suspected to be behind the hack. The attackers back then withdrew more than $625 million in cryptocurrency. Elliptic added that the periods during which the stolen funds stop being withdrawn from Tornado Cash correspond to the night hours in the Asia-Pacific region.

Hacking investigation. Horizon was subjected to an exploit on the morning of June 24. Hackers withdrew $100 million in cryptocurrency and then exchanged the assets on the Uniswap exchange. On June 26, the Harmony developers offered the attackers $1 million for the return of the rest funds and information about the exploited vulnerability, adding that they would oppose criminal prosecution if they did so. On June 28, Harmony said that it was cooperating with the FBI and blockchain analytics companies to investigate the hack. The reward was later increased to $10 million and given until July 4 to recover the stolen funds.

1/ Harmony has begun a global manhunt for the criminal(s) who stole $100M from the Horizon bridge. All exchanges have been notified. Law enforcement, @Chainalysis, and @AnChainAI have active investigations to identify the responsible actors and recover the stolen assets.— Harmony 💙 (@harmonyprotocol) June 30, 2022