Researchers Blame North Korea for $100M Horizon Bridge Crypto Theft

North Korean hackers have become the primary suspect in last week’s $100 million Horizon Bridge cryptocurrency heist.

A new report released this week by blockchain forensics company Elliptic fingers The Lazarus Group, a hacking unit with ties to the Democratic People’s Republic of Korea, as the likely culprit behind the massive theft. The hack would be just one victory among many for the group: The FBI attributed the gargantuan $625 million robbery of Axie Infinity to Lazarus as well.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. “Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement.” Another cryptocurrency monitoring group, Chainalysis, concurred with Elliptic’s findings.

The most recent hack, which occurred late last week, involves California-based firm Harmony, which offers a “Horizon Bridge,” allowing users to transfer crypto between different blockchains. Hackers reportedly targeted the usernames and passwords of Harmony workers for their initial breach. Harmony has since begun what it calls a “global manhunt” for the group responsible.

Horizon did not immediately respond to Gizmodo’s request for comment.

The hackers have moved quickly to launder those assets since last week, according to Elliptic. According to the report, the Horizon Bridge hacker had already sent nearly half (41%) of the stolen cryptocurrency assets though the Tornado Cash mixer, a so-called “demixing” tools often used to conceal the trail of funds.

That analysis was backed up on Thursday by Chainalysis, which is currently helping Harmony investigate the theft. “The attack vector & high velocity of structured payments to a mixer is similar to previous attacks that were attributed to DPRK-linked actors,” Chainanlaysis wrote in a tweet.

In a statement Wednesday, Harmony said it has notified law enforcement to investigate the theft and has since begun their own search for the culprits. The company gave what it described as a final ultimatum to the hackers: Return the stolen funds now and keep $10 million for yourselves.

“There is no honor amongst thieves,” Harmony wrote. “We are offering you $10M for information leading to the return of stolen funds.” That offer stands until July 4th, but given Elliptic’s recent analyses showing the rapid rate at which the hackers are laundering the funds, voluntary recovery appears unlikely.

North Korea’s Long History of Digital Theft

While North Korea may lack basic internet, electricity, food, and human rights, its state-supported hacking groups do have a real knack for digital theft. Back in April, the FBI released a statement blaming North Korea’s Lazarus Group for a much larger theft of $625 million worth of cryptocurrency from the Ronin blockchain. In that case, hackers haled away with some around 173,600 ether and 25.5 million USDC.

This isn’t necessarily a new trend either. Earlier this year, the Department of Homeland Security issued an alert saying that Lazarus Group had engaged in various forms of crypto theft since at least 2020.

“North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency,” the agency wrote. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

In total, the U.S. The Department of Justice estimates the Lazarus Group has allegedly made off with over $1 billion in cryptocurrency through hacking campaigns.

And while North Korea has focused its efforts on largely unregulated cryptocurrencies as of late, its experience with digital theft and complex online heists far precedes crypto. The country’s hacking teams have also proved adept at launching destructive cyber attacks and were reportedly responsible for the 2014 Sony leaks as well as the 2017 WannaCry ransomware outbreak.