After hackers stole $100 million worth of cryptocurrency from Harmony Protocol on Friday, the team behind the layer 1 blockchain announced it would offer a $1 million reward to anyone with information about the hacker.
As of this afternoon, a lead suspect has emerged.
According to a report released today by blockchain analytics firm Elliptic, the manner in which the funds were stolen and subsequently laundered points to the involvement of The Lazarus Group, a notorious North Korea-affiliated cybercriminal organization.
In April, the U.S. government concluded that Lazarus, a “state-sponsored hacking organization” according to the FBI, was behind the $622 million hack of a cross-chain bridge used by the play-to-earn game Axie Infinity. Cross-chain bridges connect blockchains and are often used to link sidechains (like Axie’s Ethereum sidechain Ronin), which can offer speed and lower transaction fees before passing work back to more secure blockchains like the Ethereum mainnet.
Harmony’s hack similarly occurred on the Horizon bridge, a cross-chain bridge connecting Harmony to Ethereum, Binance Chain, and Bitcoin. Elliptic’s report notes the similarities between both cross-chain bridge attacks as one indication of Lazarus’ likely involvement.
How the hacker perpetrated the attack, via social engineering, also alludes to previous Lazarus hacks. The Harmony attack additionally echoes the Axie Infinity hack in that stolen funds have been laundered in a pattern implying automated transfers.
“Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement,” says the report.
Other such factors include the fact that many Harmony team members have ties to the Asia Pacific region, and Lazarus tends to go after Asia-based targets, potentially due to the languages used. Further, the only times the hackers have stopped offloading laundered funds are consistent with nighttime hours in the Asia Pacific region.
The funds have thus far been laundered through mixing service Tornado Cash, which allows users to pool significant amounts of cryptocurrencies and swap them for different coins, a process that obfuscates transaction trails and is commonly used to launder stolen tokens.
Elliptic was able to “demix” the trails of the Harmony hackers’ Tornado Cash transactions in this case, and has traced the stolen funds to a number of new Ethereum wallets.
While exchanges and businesses could potentially use this information to ensure they don’t accept any of stolen funds, the information provides no means for Harmony to recover them.