The U.S. Federal Bureau of Investigation (FBI) on Monday confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022.
The law enforcement agency attributed the hack to the Lazarus Group and APT38 (aka BlueNoroff, Copernicium, and Stardust Chollima), the latter of which is a North Korean state-sponsored threat group that specializes in financial cyber operations.
The FBI further stated the Harmony intrusion leveraged an attack campaign dubbed TraderTraitor that was disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022.
The modus operandi entailed utilizing social engineering tricks to deceive employees of cryptocurrency companies into downloading rogue applications as part of a seemingly benign recruitment effort.
“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist,” the FBI said. “A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC).”
A chunk of the stolen funds has been frozen in coordination with virtual asset service providers, while the remaining bitcoin is said to have been transferred to 11 different actor-controlled wallets.
It’s worth noting that fund movement related to the Harmony One hack was first uncovered last week by a blockchain researcher who goes by the online alias ZachXBT. According to Binance founder Changpeng Zhao, 124 BTC (roughly $2.84 million as of writing) have been recovered after the transfers were blocked.
A subsequent attempt to transfer the stash to another crypto exchange called Huobi was also thwarted, Zhao said in a tweet shared on January 16, 2023.
Crypto tracking and anti-money laundering platform MistTrack, in its own analysis, revealed that the ill-gotten gains were moved from the Bitcoin blockchain to the Avalanche, Ethereum, and Tron networks via a cross-chain path chosen to obfuscate the trail.
Blockchain intelligence firm Elliptic said RAILGUN, which functions similar to a cryptocurrency mixer, has emerged as a prime substitute for Tornado Cash in the wake of sanctions imposed by the U.S. government against the latter in August 2022.
“North Korea may be turning to lower obfuscating services as an alternative,” David Carlisle, Elliptic’s vice president of policy and regulatory affairs, said.
The cryptocurrency heists are part of malicious cyber activity orchestrated by North Korea’s intelligence apparatus, the Reconnaissance General Bureau, to generate substantial revenue for the sanctions-hit nation by stealing money from financial institutions (namely FASTCash and BeagleBoyz).
The development also comes amid a string of ransomware attacks targeting DNV, Costa Rica’s Ministry of Public Works and Transport (MOPT), University of Duisburg-Essen, and Yum! Brands over the past few weeks.
Data gathered by blockchain analytics company Chainalysis shows that ransomware actors extorted at least $456.8 million from victims in 2022, down from a high of $765 million and $766 million in 2020 and 2021, respectively.
“However, that doesn’t mean attacks are down,” it said in a report published the previous week. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”