Coin exchanges Binance and Huobi have frozen cryptocurrency accounts they believe belong to notorious North Korean hacking gang Lazarus, preventing the gang from extracting $2.6m in Bitcoin and Ethereum.
The money was stolen from the Harmony crypto bridge in June of last year and was apparently being moved through various decentralised systems, before the behaviour was noticed by Binance and Huobi and stopped.
Big freeze hits Lazarus crypto accounts
Lazarus was spotted moving $63.5m in Ethereum on Sunday. The group used an anonymising crypto tool called Railgun, which adds privacy protection to transactions.
The consolidated funds were then moved from Railgun and deposited into three different exchanges, which is where the strange activity was picked up. The Binance exchange was the first to freeze the Lazarus accounts.
Binance CEO Changpeng Zhao tweeted: “We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts.”
The hackers tried a different avenue once Binance proved ineffective, but were also foiled by Huobi, with the help of Binance. Together the two coin exchanges managed to prevent 124 stolen Bitcoin from falling into the hands of the North Korean government. This is just over $2.6m at the time of writing.
Lazarus wants to profit from Harmony Bridge breach
The Harmony Bridge attack in June saw $100m in cryptocurrencies stolen. Coin bridges are used to connect different blockchains to exchange cryptocurrencies between them. They are a lucrative target as they typically house large amounts of currency and can have weak security.
Because cryptocurrency transactions are recorded publicly on the blockchain, large transactions, particularly those involving looted cryptocurrencies, draw attention and can be stopped. For example, this happened in February 2022 when two cybercriminals Heather Morgan and Ilya Lichtenstein were caught trying to launder 119,754 Bitcoin , worth about $3.6bn, from a heist they had taken part in against the Hong Kong coin exchange Bitfinex in 2016.
Crypto consultancy Elliptic quickly pinpointed Lazarus as the gang behind the Harmony Bridge breach. It said Lazarus has “perpetrated several large cryptocurrency thefts totalling over $2bn, and has recently turned its attention to DeFi [decentralized finance] services such as cross-chain bridges.”
It is not uncommon for North Korean state backed hacking groups to perpetrate highly lucrative hacks as the country is subject to heavy sanctions due to its agressive geopolitical stance.
“North Korea has called its cyber-capability an ‘all-purpose sword,’” Min Chao Choy, a data correspondent at NK News, said in a previous interview with Tech Monitor. “You really see that in the way that they use it. They use it for espionage, on a political level but also for industrial espionage. They use it for funds. They use it to threaten North Korean defectors living in South Korea. And I’m sure they have a lot more destructive capabilities that they haven’t displayed yet.”