North Korea is likely culprit behind $100 million crypto heist, researchers say

A photo illustration showing the North Korean flag and a computer hacker.

Budrul Chukrut | Sopa Images | Lightrocket | Getty Images

North Korean state-sponsored hackers were likely the perpetrators of a hack that led to the theft of around $100 million in cryptocurrency, according to analysis from blockchain researchers.

The hackers targeted Horizon, a so-called blockchain bridge developed by U.S. crypto start-up Horizon. The tool is used by crypto traders to swap tokens between different networks.

There are “strong indications” that Lazarus Group, a hacking collective with strong ties to Pyongyang, orchestrated the attack, blockchain analytics firm Elliptic said in a blog post Wednesday.

Most of the funds were immediately converted to the cryptocurrency ether, Elliptic said. The firm added that hackers have started laundering the stolen assets through Tornado Cash, a so-called “mixing” service that seeks to obscure the trail of funds. So far, around $39 million worth of ether has been sent to Tornado Cash.

Elliptic says it used “demixing” tools to trace the stolen crypto sent through Tornado Cash to several new ether wallets. Chainalysis, another blockchain security firm that’s working with Harmony to investigate the hack, backed up the findings.

According to the companies, the way the attack was carried out and the subsequent laundering of funds bear a number of similarities with previous crypto thefts believed to be perpetrated by Lazarus, including:

  • Targeting of a “cross-chain” bridge — Lazarus was also accused of hacking another such service called Ronin
  • Compromising passwords to a “multisig” wallet that requires only a couple signatures to initiate transactions
  • “Programmatic” transfers of funds in increments every few minutes
  • The movement of funds stops during Asia-Pacific nighttime hours

Harmony said it is “working on various options” to reimburse users as it investigates the theft, but stressed that “additional time is needed.” The company also offered a $1 million bounty for the return of the stolen crypto and information on the hack.

North Korea has frequently been accused of carrying out cyberattacks and exploiting cryptocurrency to get around Western sanctions. Earlier this year, the U.S. Treasury Department attributed a $600 million heist on Ronin Network, a so-called “sidechain” for popular crypto game Axie Infinity, to Lazarus.

North Korea has denied involvement in state-sponsored cyberattacks in the past, including a 2014 data breach targeting Sony Pictures.