Experts blame North Korea-linked Lazarus APT for the Harmony hack

North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge.

Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms. 

Harmony’s Horizon Bridge allows users to transfer their crypto assets from one blockchain to another, the company immediately halted the bridge to prevent further transactions and notified other exchanges.

The company also offers a $1 million bounty in exchange for the return of the funds.

The blockchain security firm CertiK published a detailed analysis of the incident, it confirmed that the threat actors were able to access the owners of Horizon’s multiSig wallets, then drained the funds from Harmony.

“On June 23, 2022 at 11:06:46 AM +UTC, the bridge between Harmony chain and Ethereum experienced multiple exploits. Our expert analysis has identified twelve attack transactions and three attack addresses.” reads the analysis published by CertiK. “Across these transactions the attacker netted various tokens on the bridge including ETH, USDC, WBTC, USDT, DAI, BUSD, AAG, FXS, SUSHI, AAVE, WETH, and FRAX. The transactions vary in value but range from $49,178 to upwards of $41,200,000. The attacker accomplished this by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony, which led to a total loss around $97M worth of asset on the Harmony chain which the attacker has consolidated into one main address.”

On June 27, the threat actors behind the cyber heist culprit have begun transferring the funds (roughly $39 million) through the Tornado Cash mixer service to launder the illicit profits.

The good news is that the blockchain security firm Elliptic was able to analyze the transactions even after the use of the mixer service.

According to Elliptic, the North Korea-linked Lazarus APT was behind the attack.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services.” reads the report published by Elliptic. “The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.”

According to the firm the threat actors compromed the cryptographic keys of a multi-signature wallet, likely through a social engineering attack aimed at Harmony team members.

Elliptic researchers pointed out that the relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with nighttime hours in Asia-Pacific time zone.

“The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.” concludes the post.

Harmony has since notified all cryptocurrency exchanges and involved law enforcement and blockchain forensic firms to help in the recovery of stolen assets. It’s also offering “one final opportunity” for the cyber thieves to send the funds back with anonymity and “retain $10 million and return the remaining amount” by July 4, 2022, 11 p.m. GMT.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Harmony)

[adrotate banner=”5″]

[adrotate banner=”13″]