North Korean Hackers Attacked Horizon, Confirms FBILazarus Group Stole $100M From the Blockchain Bridge in June
The U.S. FBI on Monday confirmed what Web3 security experts have long said: State-sponsored North Korean hackers are responsible for the $100 million theft from Harmony-run blockchain bridge Horizon.
The Lazarus Group last week attempted to off-ramp $63.5 million worth of spoils from the Horizon heist using cryptomixers, smart contract privacy platform Railgun and centralized exchanges, popular Web3 security sleuth ZackXBT said. Crypto exchanges Binance and Huobi intervened to freeze a small portion of the funds flowing through their respective platforms, Binance CEO Changpeng Zhao said, although ZackXBT added that the companies were unable to entirely stop the North Korean hackers from cashing out.
The FBI confirmed in its statement that the hackers had used Railgun to launder the stolen ethereum coins on Jan. 13. The agency also froze a portion of the funds by partnering with some virtual asset service providers, where the hackers attempted to convert the ethereum into bitcoin, it said. It did not specify the amount of funds it froze.
The federal agency said it will "continue to expose and combat North Korea's use of illicit activities - including cybercrime and virtual currency theft - to generate revenue for the regime," including its ballistic missile and weapons of mass destruction programs.
Blockchain analytics firm Elliptic in June said that telltale signs from the hack and subsequent laundering were consistent with activities undertaken by Pyongyang hackers. While there was no smoking gun at the time, Elliptic said that the Lazarus Group had already been implicated in several large cryptocurrency thefts and had recently turned its attention to decentralized financial, including bridges that allow the transfer of cryptocurrencies across networks.
North Korea is also heavily suspected of being behind the more than $600 million Ronin bridge hack in March (see: North Korea Behind $100M Harmony Theft, Say Researchers).
The Lazarus Group used a malware campaign called TraderTraitor to attack the Harmony bridge, the FBI says.
The hackers usually send a "large" number of spear-phishing messages to DevOps executives or system admins of crypto companies, offering them fake high-paying jobs that may lure the employees to download a malware-laced crypto app, according to an advisory from the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of the Treasury. Hackers use open-source projects to develop the malicious apps, which appear to have crypto trading or price prediction tools. When its users "update" their apps - a pre-designed malicious function - the malware downloads and executes a malicious payload on the system to steal data that will give them access to the victim's crypto.
In Horizon's case, the hackers compromised private keys and carried out transactions that extracted tokens stored in the bridge, Harmony founder Stephen Tse said at the time. The bridge was essentially a multisignature contract, which required approval from 2 out of 5 addresses to validate a transfer, William Callahan, director of government and strategic affairs at Blockchain Intelligence Group, told Information Security Media Group. "If any 2 out of 5 addresses told the contract to transfer funds to someone, it did. In this case, the hacker likely compromised two addresses and made them transfer the crypto to his own wallet," according to Callahan (see: Horizon Offers $1M Bounty to Hackers Who Stole $100M).