The FBI has confirmed that the North Korean state-sponsored ‘Lazarus’ and APT38 hacking groups were behind the theft of $100 million of Ethereum stolen from Harmony Horizon in June 2022.
Harmony Horizon is a cross-chain bridge for Ethereum that suffered an offense in June 2022, allowing hackers to take control of a MultiSigWallet contract and use it to transfer large amounts of tokens to their addresses.
For more details on the technical aspect of the attack, Certik published a report describing the attack flow and the actions taken by threat actors to siphon off millions.
Yesterday the FBI confirmed that two North Korean hacking groups, Lazarus and APT38were behind the attack.
Hacking groups Lazarus and APT38 are linked to the Democratic People’s Republic of Korea (DPRK) and have a history of stealing cryptocurrency assets on behalf of the government.
The FBI says North Korean hacking groups are stealing and laundering virtual currency to support their country’s ballistic missile and weapons of mass destruction programs.
In this case, the FBI was able to link Lazarus to the heist through one of the menacing group’s whitewashing efforts last week.
On January 13, hackers attempted to move 41,000 ETH ($63.5 million) via Railgun before depositing the funds to numerous addresses at three cryptocurrency exchanges.
At least 350 of these addresses have been identified as being under the direct control of the Lazarus Group.
The hackers converted some of these moved funds into Bitcoin, and the FBI seized an indefinite portion by working closely with virtual asset service providers.
The FBI says the remaining converted funds are now stored in the following Bitcoin addresses.
Binance announced back when, together with Huobi, they managed to intercept 124 BTC stolen from Harmony Horizon, worth around $2.5 million.
In addition, all accounts used in money laundering actions have been frozen.
Past attacks of Lazarus
North Korean hackers have long targeted cryptocurrency companies to steal assets to fund their country’s initiatives.
It was later revealed that the hackers carried out this attack after sending a malicious laced PDF file containing a lucrative job offer for one of the blockchain engineers.