FBI confirms Lazarus Group was behind the $100m Harmony exploit

In a Monday press release, the FBI announced that Lazarus Group and APT38, two notorious cybercrime actors associated with North Korea, are responsible for the June Harmony bridge hack.

Kim II Sung Square in Pyongyang, North Korea. Image: Getty Images

The FBI said its investigation identified Lazarus Group and APT38 as masterminds behind the $100 million exploit of Harmony Protocol’s Horizon bridge on June 24. Although several crypto sleuths and security analysts suspected that hackers behind the attack may be linked to North Korea, Lazarus Group hasn’t been formally accused of responsibility for the Harmony exploit until today.

During the June heist, hackers managed to get away with $100 million in Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, USDT, and USDC. Stolen funds were then converted into Ether, of which $60 million was laundered through privacy protocol RAILGUN on January 13, half a year after the attack.

However, an unspecified amount of funds routed via RAILGUN was frozen and recovered in coordination with centralized exchanges when hackers tried to swap them for bitcoin. The unrecovered BTC was subsequently moved to eleven bitcoin addresses listed in the FBI report.

FBI and other law enforcement agencies "continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs," the announcement read. “The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime.”

For context, Harmony Protocol is a proof-of-stake blockchain with smart contract functionality. Its cross-chain Horizon solution enables users to move their funds freely from Harmony to Ethereum, Bitcoin, and Binance Smart Chain. Since cross-chain bridges like Horizon feature a central storage point of funds, they often fall prey to hackers — according to Chainalysis, $2 billion worth of cryptocurrency was stolen across 13 separate attacks on bridges in 2021-2022, with Axie Infinity's Ronin suffering the biggest loss of $622 million.

Read also: Why are cross-chain bridges such a weak spot in blockchain security?

North Korea may be a poor sanctions-strapped country, but its army of skilled hackers became a formidable threat to global cybersecurity. In 2021, North Korea's military spending accounted for around 24 percent of its gross domestic product, of which 10 to 20 percent is being spent on cyber-attack capabilities, BBC reported.

According to Kim Kuk-song, a high-profile defector from North Korea, the previous North Korean leader, Kim Jong-il, ordered preparations for cyber warfare back in the 1980s, when the country started training new personnel for its hacking unit Bureau 121.

"The Moranbong University would pick the brightest students from all over the country and put them through six years of special education," he told BBC.

According to a federal cybersecurity alert issued in April 2022, North Korean hackers are targeting a “variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).”

“The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps.”

The notorious criminal activity of North Korean hackers was cited as a prime reason for the U.S. regulatory crackdown on crypto mixer Tornado Cash, which was sanctioned by the U.S. Treasury in August. The regulator pointed to the crypto mixer's role in North Korea's weapons of mass destruction (WMD) and ballistic missile programs, claiming that it was used to launder more than $7 billion worth of cryptocurrencies since its inception in 2019.