Photo by Morrowind/Shutterstock.com
The North Korean state-sponsored cybercriminal group, Lazarus, also known as APT38, was responsible for the $100 million theft of cryptocurrency from Harmony’s Horizon bridge in June 2022, the FBI confirmed on Monday.
The Lazarus group tried to siphon $60 million worth of Ethereum, stolen during June’s breach, through DeFi’s Railgun privacy protocol. While a portion of the stolen Ethereum was converted to BTC via a crypto mixer, a portion of these funds was frozen by the FBI. The hackers had attempted to move 124 bitcoin worth of stolen funds to the crypto exchange Huobi; however, these funds were blocked.
FBI’s investigations confirm the findings from last week that Lazarus moved roughly $63.5 million or around 41,000 ETH from the Harmony Horizon bridge hack before depositing them in three separate crypto exchanges.
“We will continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs,” the FBI said in a statement. “Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.”
Previously it was found that Lazarus had tried to siphon the funds through the crypto mixer Tornado Cash, which breaks the on-chain link between source and destination addresses on the blockchain, improving the transaction privacy by obfuscating them. Tornado Cash has been used to launder more than $7 billion since it was created in 2019, and the US Department of the Treasury imposed sanctions on the service in August 2022.
Lazarus has been notoriously cryptojacking for several years, with billions of stolen cryptocurrencies. The North Korea-backed cybercriminals group were also held responsible for the Ronin bridge hack in March 2022, and was found to be targeting energy companies in the US, Canada and Japan using the Log4j vulnerability to breach VMware Horizon servers.