The FBI has confirmed that the North Korean state-sponsored ‘Lazarus’ and APT38 hacking groups were behind the theft of $100 million worth of Ethereum stolen from Harmony Horizon in June 2022
Harmony Horizon is a cross-chain bridge for Ethereum that suffered a breach in June 2022, allowing hackers to assume control of a MultiSigWallet contract and use it to transfer large amounts of tokens to their addresses.
For more details on the technical aspect of the attack, Certik released a report describing the attack flow and the steps the threat actors took to siphon millions.
Yesterday, the FBI confirmed that two North Korean hacking groups, Lazarus and APT38, were behind the attack.
The Lazarus and APT38 hacking groups are linked to the Democratic People’s Republic of Korea (DPRK) and have a history of stealing cryptocurrency assets on behalf of the government.
The FBI states that North Korean hacking groups steal and launder virtual currency to support their country’s ballistic missile and weapons of mass destruction programs.
In this case, the FBI managed to associate Lazarus with the heist thanks to one of the threat group’s laundering efforts last week.
On January 13th, the hackers attempted to move 41,000 ETH ($63.5 million) through Railgun before depositing the funds to many addresses in three cryptocurrency exchanges.
At least 350 of these addresses have been identified to be under the direct control of the Lazarus group.
The hackers converted some of these moved funds to Bitcoin, and the FBI seized an undefined portion by working closely with virtual asset service providers.
The FBI states the remaining converted funds are now stored in the following Bitcoin addresses.
Binance announced at the time that, together with Huobi, they managed to intercept 124 BTC stolen from Harmony Horizon, which was worth approximately $2.5 million.
Moreover, all accounts used in the laundering actions were frozen.
Past Lazarus attacks
North Korean hackers have a long history of targeting cryptocurrency companies to steal assets to fund their country’s initiatives.
It was later revealed that the hackers conducted this attack after sending a malicious laced PDF file containing a lucrative job offer to one of the blockchain’s engineers.