North Korea’s state-sponsored Lazarus Group is believed to be behind the recent $100 million cryptocurrency theft from a US blockchain company, the latest in a spate of high-profile cyber heists from the Kim Jong-un regime, London-based blockchain analytics firm Elliptic said Wednesday.

The analysis came out a week after California-based crypto firm Harmony on June 24 publicly confirmed that unidentified hackers had stolen cryptocurrencies amounting to around $100 million from the key service, called Horizon Bridge, which is a blockchain bridge developed by the company.

The service, also known as a cross-chain bridge, connects two blockchains and allows users to transfer cryptocurrencies between different blockchains, such as binance chain, bitcoin and ethereum.

The stolen cryptocurrencies included binance coin, ethereum, tether and wrapped bitcoin.

The hacker group immediately swapped much of the crypto assets into a total of 85,837 ethers by utilizing Uniswap, which is a decentralized exchange protocol operating on the ethereum blockchain, according to Elliptic.

Decentralized exchanges are widely used by hackers to launder cryptocurrencies to avoid confiscation of the stolen assets, given that the platform enables users to privately exchange cryptocurrencies with one another without a centralized intermediary or involving order books.

On June 27, the thieves responsible for the heist began to send the etherum deposits to Tornado Cash, which is a mixer that has been widely used to launder illicit crypto funds. A cryptocurrency mixer is a software tool that pools and scrambles cryptocurrencies from thousands of addresses to obfuscate and conceal the flow of transactions.

Elliptic analyzed that just over 35,000 ether, amounting to $39 million, of the stolen cryptocurrency assets had been moved to Tornado Cash, and the process is ongoing. The attempt makes it easier for the thief to cash out the illicit cryptocurrencies at a crypto exchange.

Lazarus Group behind cybertheft
Elliptic said that North Korea’s state-sponsored Lazarus Group is believed to be responsible for the latest high-profile heist targeting a blockchain bridge in light of the hacking and laundering techniques employed.

The US-sanctioned Lazarus Group is controlled by North Korea’s primary intelligence bureau, the Reconnaissance General Bureau. The hacking group has been credited with major cyberattacks including the 2017 WannaCry ransomware attacks and 2014’s Sony Pictures hack.

“Our analysis of the hack and the subsequent laundering of the stolen cryptoassets also indicates that it is consistent with activities of the Lazarus Group -- a cybercrime group with strong links to North Korea,” Elliptic said.  “Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement.”

Specifically, the hackers compromised the cryptographic keys of a multisignature wallet -- which is meant to maintain the confidentiality of digital assets -- likely through social engineering attacks on team members at Harmony. The Lazarus Group has frequently utilized such techniques.

The Lazarus Group also tends to concentrate on targets based in the Asia-Pacific region, Elliptic reported, adding that language could be one main reason. A majority of the core team at Harmony has links to the region.

Elliptic also pointed to the regularity of moving ethereum deposits into the Tornado Cash mixer likely through an automated process as further grounds. 

The pattern is “very similar” to the programmatic laundering of funds that was observed from the recent heist on the Ronin Bridge and several other attacks associated with the group.

The Lazarus Group’s recent shift to focus on attacking decentralized finance platforms such as blockchain bridges was cited as the main reason for the assessment.

The Lazarus Group, for instance, was attributed by the US Treasury Department to $625 million worth of cryptocurrency theft from Axie Infinity’s proprietary Ronin blockchain bridge in March.

Harmony said on Wednesday that it had initiated a global manhunt for the criminals. US law enforcement and the company’s partners at Chainalysis and AnChain.AI are investigating to identify the individuals responsible for the cybercrime and to recover the stolen assets.

But the US crypto firm announced that it would cease the investigation if the thieves were to return all but $10 million of the cryptoassets, giving a Monday deadline to initiate dialogue.

North Korean state-sponsored cryptocurrency theft has been cited as a fundamental part of the country’s illicit financing activities to fund its nuclear and missile programs.

North Korea-affiliated hackers stole nearly $400 million worth of digital assets last year, the New York-headquartered blockchain data platform Chainalysis said in February in its annual report.

Coincub, an Ireland-based crypto exchange aggregator, said on June 27 that North Korea is estimated to have earned almost $1.6 billion from at least 15 distinct cases of crypto crimes between 2017 and 2022.

The illicit proceeds accounted for 10 percent of North Korea’s gross domestic product for 2021, the largest portion in the world, the company said in its report on the annual crypto crime ranking.

(dagyumji@heraldcorp.com)