View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 24, 2023

North Korean hackers Lazarus behind $100m Harmony Bridge crypto hack – FBI

The FBI has confirmed Lazarus is behind the Harmony heist that saw $100m in cryptocurrencies lifted in June of last year.

By Claudia Glover

A cyberattack on the Harmony crypto coin bridge last June, which saw Bitcoin worth $100m stolen, was carried out by North Korean state-sponsored hacking gangs Lazarus and APT38, the FBI believes. This comes after efforts to launder the stolen funds were halted by the freezing of accounts belonging to the gangs.

FBI confirms Lazarus behind last year’s Harmony Bridge hack. (Photo by Mark Van Scyoc/Shutterstock)

Lazarus has long been suspected of carrying out the attack, with crypto analyst Elliptic releasing evidence last year which showed that stolen funds had been funnelled to the gang.

FBI confirms Lazarus behind Harmony Horizon Bridge cyberattack

The FBI has now released a report on the incident, one of the biggest crypto hacks of recent years, which states that “the Lazarus Group and APT38, cyber actors associated with the Democratic Republic of North Korea (DPRK) are responsible for the theft of $100m of virtual currency from Harmony’s Horizon bridge, reported on June 24”.

As reported by Tech Monitor, on Friday, 13 January, North Korean cybercriminals used a privacy protocol called Railgun to try to launder more than $60m in Ethereum, stolen during last year’s heist. Some of the stolen Ethereum was subsequently sent to several virtual asset service providers to be converted to Bitcoin.

“A portion of these funds were frozen, in co-ordination with some of the virtual asset service providers,” explains the advisory, referring to the Binance crypto exchange, which said it had spotted the stolen funds being moved and closed down accounts. The remaining bitcoin was sent to eleven addresses, which the FBI was able to track, leading them to Lazarus and APT38.

The FBI says a malware campaign called “TraderTraitor” was used by the Korean hackers during the Harmony intrusion. The term describes a series of malicious applications written using cross-platform JavaScript code, according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

“The malicious applications are derived from a variety of open source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications,” CISA analysts said.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

North Korea’s long history of crypto heists

It is not uncommon for North Korean hacking gangs to be behind large-scale cryptocurrency heists. The international sanctions placed on its government mean state-backed hacking gangs are encouraged to carry out hacking campaigns to boost national finances.

According to data released by South Korea’s main spy agency, the National Intelligence Service, North Korean hackers have stolen $1.2bn in cryptocurrencies around the world since 2017, with reportedly $626m of that stolen last year.

The report stated that North Korea has turned to crypto hacking to generate fast money to fund its nuclear programme. The North Korean hackers’ ability to steal crypto assets is now considered to be among the highest in the world. 

Read more: North Korean hackers are impersonating researchers to gather intelligence

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.