Harmony, North Korea, Lazarus – A Q worth $100M

100m

The Horizon hack has taken a new twist after the latest post-mortem report. The $100 million theft was initially observed on 24 June but after careful analysis, new developments have emerged. From Uniswap to Tornado, the money trail led to the potential perpetrators.

It’s them again

The Harmony team identified a theft of over $100 million on the Horizon Bridge on 24 June. It is the latest in the long line of expensive crypto hacks in recent times.

Preliminary analysis showcased that the alleged address made 11 transactions from the bridge for various tokens. Furthermore, the individual sent tokens to a different wallet to swap for ETH on the Uniswap decentralized exchange. The perpetrator then sent all the ETH back to the original wallet.

However, the experts of Elliptic, a data analytics platform for blockchain tech, have managed to uncover the latest developments after a security-focused ranking platform Certik’s preliminary analysis.

Source: Elliptic

Following the money trail, Elliptic discovered that the thief used Tornado Cash- a commonly used mixer to launder digital holdings. So far, around 35,000 ETH ($39 million) has been transferred in the ongoing process.

But Elliptic used its “demixing” techniques to further follow the trail to new Ethereum wallets. The report confirms that these methods are consistent with the Lazarus Group that is believed to have carried out the Ronin Bridge attack. Lazarus is claimed to have strong links to North Korea and has perpetrated crypto thefts that cost over $2 billion.

“The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group. Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons. Although Harmony is based in the US, many of the core team have links to the APAC region.”

The Elliptic team also confirmed towards the end that it will continue to monitor the rest of the stolen funds.