Behind Harmony Attack Was North Korean Hackers Again

Blockchain analytics firm Elliptic has finally identified the hackers behind the theft of $100 million worth of cryptocurrencies from the Harmony protocol.

O company report points to the Lazarus group as the authors of the attack against the protocol. Elliptic claims it came to this conclusion after tracking the movements of funds stolen from the attack. The pattern of operations, according to the company, resembles the famous hacker group.

Linked to the government of North Korea, Lazarus is known for participating in notorious attacks in cryptocurrency history. The United States Federal Police (FBI) have been investigating the group and their criminal actions.

For example, the group was involved in the attack on Axie Infinity’s Ronin, which lost over $600 million in the hack. This was the biggest hacking attack in cryptocurrency history.

Reward and location

Last Friday (24), hackers broke into the Horizon bridge, which connects Harmony to other blockchains, and stole thousands of cryptocurrencies. Action resulted in the theft of US$ 100 million.

Shortly after the attack, the team behind Harmony offered a $1 million reward to anyone with information about the hacker. They also extended the offer to the hacker himself if he or they returned the funds.

However, the group ignored the proposal and began moving the stolen funds four days after the attack, with the aim of hiding their origin. And that was precisely what, according to Elliptic, made it possible to identify the group.

According to the report, Elliptic analyzed transactions carried out on Tornado Cash, a service that hides the origin of funds. Subsequently, the analysis pointed out that the Harmony hacker used a social engineering model similar to that used in the other attacks of the group.

The Harmony attack also bears traces of what happened with Axie Infinity, as the stolen funds were laundered in a pattern that implies automated transfers.

“While no single factor proves Lazarus involvement, together they suggest group involvement,” the report says.

Other factors include the fact that many members of the Harmony team have ties to the Asia-Pacific region. The region is one of the most attacked by Lazarus, probably due to the similarities between the languages ​​used.

Also, the only times hackers have stopped moving funds into Tornado Cash match nighttime hours in the Asia Pacific region. That is, the group was following a standard schedule for those who live or work in that region of the planet.

About the Harmony attack and Lazarus

Until now, hackers have only used Tornado Cash to hide stolen funds, which allows users to pool significant amounts of cryptocurrencies and exchange them for different currencies, a process that obfuscates transaction trails and is commonly used to launder stolen tokens.

In April, the US government concluded that Lazarus is a “state-sponsored hacking organization” according to the FBI. Authorities have linked the group to the attack on Ronin, another bridge between protocols.

Bridges connect blockchains and are often used to join sidechains together (like Ronin, which is a sidechain of ETH). They can also merge different blockchains, as in the case of Horizon, which merged Harmony with BTC, ETH and BNB Chain.

With information from Elliptic, exchanges and companies in the industry can take steps to ensure they do not accept any of the stolen funds. That way, hackers will have a harder time spending the cryptocurrencies or converting them into fiat currencies.

However, the information does not provide a means for Harmony to recover the stolen funds, but the team said it is working with the FBI to track the funds and get the money back.