The FBI announced Monday it has concluded that North Korean hacker organization Lazarus Group was behind the $100 million hack of Harmony Protocol last June.
Over $60 million of ETH stolen during the heist was laundered on January 13, six months after the fact. That allowed the law enforcement agency to confidently identify the Lazarus Group and APT38—another North Korean cyber group—as the architects of the crime.
The hackers used RAILGUN, a privacy protocol, in an attempt to obscure their transactions. Even so, a portion of the funds were then frozen and recovered by exchanges when the hackers attempted to swap them for Bitcoin. Unrecovered funds were subsequently sent to 11 Ethereum addresses.
The FBI and its investigative partners will "continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs," according to the announcement.
US Treasury Connects North Korean Hackers to $622M Axie Infinity Exploit
In the immediate aftermath of June’s Harmony hack, blockchain analysts tied the exploit to Lazarus Group using a combination of on-chain sleuthing and comparisons to previous hacks committed by the group. While the American government has been previously vocal about the threat posed by Lazarus Group, however, it did not formally accuse the entity of responsibility for the Harmony hack until today.
The hack targeted a cross-chain bridge connecting Harmony, a layer-1 blockchain, to Ethereum, Bitcoin, and Binance Chain. The strategy echoes previous attacks linked to Lazarus Group, including a massive $622 million hack last April of Ronin Network, an Ethereum sidechain used by play-to-earn crypto game Axie Infinity.
Since 2017, North Korean hacker groups including Lazarus Group and APT38 have stolen an estimated $1.2 billion worth of cryptocurrency, according to an Associated Press report.
"The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime," the announcement read.
Biggest Crypto Exploits and Hacks of 2022
North Korea-affiliated cyber groups have also reportedly expanded their activities beyond hacks. In late December, a report argued that the Lazarus Group is also pretending to be venture capitalists, potential employers, and banks.
"Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms," according to a federal cybersecurity alert issued last April. "The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications."