A cyberattack on the Harmony crypto coin bridge last June, which saw Bitcoin worth $100m stolen, was carried out by North Korean state-sponsored hacking gangs Lazarus and APT38, the FBI believes. This comes after efforts to launder the stolen funds were halted by the freezing of accounts belonging to the gangs.
Lazarus has long been suspected of carrying out the attack, with crypto analyst Elliptic releasing evidence last year which showed that stolen funds had been funnelled to the gang.
FBI confirms Lazarus behind Harmony Horizon Bridge cyberattack
The FBI has now released a report on the incident, one of the biggest crypto hacks of recent years, which states that “the Lazarus Group and APT38, cyber actors associated with the Democratic Republic of North Korea (DPRK) are responsible for the theft of $100m of virtual currency from Harmony’s Horizon bridge, reported on June 24”.
As reported by Tech Monitor, on Friday, 13 January, North Korean cybercriminals used a privacy protocol called Railgun to try to launder more than $60m in Ethereum, stolen during last year’s heist. Some of the stolen Ethereum was subsequently sent to several virtual asset service providers to be converted to Bitcoin.
“A portion of these funds were frozen, in co-ordination with some of the virtual asset service providers,” explains the advisory, referring to the Binance crypto exchange, which said it had spotted the stolen funds being moved and closed down accounts. The remaining bitcoin was sent to eleven addresses, which the FBI was able to track, leading them to Lazarus and APT38.
The FBI says a malware campaign called “TraderTraitor” was used by the Korean hackers during the Harmony intrusion. The term describes a series of malicious applications written using cross-platform JavaScript code, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
“The malicious applications are derived from a variety of open source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications,” CISA analysts said.
North Korea’s long history of crypto heists
It is not uncommon for North Korean hacking gangs to be behind large-scale cryptocurrency heists. The international sanctions placed on its government mean state-backed hacking gangs are encouraged to carry out hacking campaigns to boost national finances.
According to data released by South Korea’s main spy agency, the National Intelligence Service, North Korean hackers have stolen $1.2bn in cryptocurrencies around the world since 2017, with reportedly $626m of that stolen last year.
The report stated that North Korea has turned to crypto hacking to generate fast money to fund its nuclear programme. The North Korean hackers’ ability to steal crypto assets is now considered to be among the highest in the world.