- Spearphishing and malware were the prime tools to launder cryptos during the hack.
- On January 13, Harmony Horizon hackers laundered $60M worth of ETH.
The US Federal Bureau of Investigation (FBI) has revealed the chief culprits of Harmony’s Horizon Bridge Hack. It confirmed two notorious cyber actor groups – Lazarus Group and APT-38, as the responsible agents of the $100M theft in the January 23 press release. Reportedly, these two groups are known to be supported by the Democratic People’s Republic of Korea (DPRK), officially North Korea.
The FBI stated:
“Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge reported on June 24, 2022.”
The key investigative force comprises FBI Los Angeles, FBI Charlotte, and five other authorities who are carrying out the probe into the heist. Notably, the probe’s findings highlight North Korea’s goal behind supporting such crypto hacks and laundering. It depicted the state’s mission of powering up its Missile and Weapons of Mass Destruction programs.
Harmony Hacker’s Route
Horizon has been the prominent bridge operating on the PoS blockchain Harmony since October 2020. In the June 2022 hack, North Korea-sponsored hacker groups initiated a series of 14 transactions on Ethereum and Binance Smart Chain (BSC) to initiate the theft. Lazarus Group has a strong track record of leading many crypto heists in history, such as the $625M Ronin Bridge Hack. Significantly, it ranked top on the investigation’s suspected list.
The FBI reported:
“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of Ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen Ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC).”
FBI and some virtual asset service providers (VASPs) teamed up to freeze the stolen funds. Further investigation revealed the record of funds being converted to Bitcoin and then linked to 11 crypto addresses.
As per FBI’s findings, Lazarus group deployed spearphishing, “trojanized” cryptocurrency apps and malware – especially the “AppleJeus” to launder cryptos from vulnerable entities. The FBI addressed users about the malware campaign “TradeTraitor” that was used by the North Korean hackers during the hack.
With increasing and evolving hacks in the sector, the FBI advises entities to adopt defense-in-depth security strategies and principles. Most importantly, it emphasized the importance of educating users about malware and scams.