Cryptocurrency experts now suspect that North Korea was behind last week’s $100 million heist at blockchain provider Harmony.
“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft,” says(Opens in a new window) blockchain analytics firm Elliptic.
The hacker behind the heist has already been spotted laundering the stolen assets through a cryptocurrency-mixing service dubbed Tornado Cash in an effort to prevent authorities from tracking the ill-gotten gains.
The same activity is raising eyebrows because the culprit behind a separate $622 million theft at the Ronin Network blockchain in March also laundered the funds through Tornado Cash. The FBI later linked the incident to Lazarus, an infamous North Korean hacking group with an appetite for stealing cryptocurrencies.
The evidence that Lazarus is behind the Harmony hack is still circumstantial. However, Elliptic says the way the money is being laundered matches with how Lazarus has previously operated.
“The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used,” the company says. “We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.”
The heist apparently(Opens in a new window) happened by compromising multiple machines that stored the private keys for the cryptocurrency assets at Harmony. This suggests the hacker used social engineering attacks, such as phishing messages or malicious apps, to dupe several Harmony employees into getting access to their computers. The tactic matches known techniques North Korean hackers have used to infiltrate cryptocurrency companies.
Another blockchain tracking firm, Chainalysis, also agrees North Korean hackers may have been behind the heist. “The attack vector and high velocity of structured payments to a mixer is similar to previous attacks that were attributed to DPRK-linked actors,” the company said in a tweet(Opens in a new window).
Recommended by Our Editors
“If confirmed, this would be the 8th exploit this year—totaling $1 billion in stolen funds—that we can attribute to N. Korea with confidence,” the company adds.
The FBI did not immediately respond to a request for comment. In the meantime, Harmony has been trying to incentivize the hacker to return to the stolen funds.
“At this time, the Harmony team has offered one final opportunity for individuals involved to return the assets with anonymity,” the blockchain provider wrote in a blog post. “The final term is they retain $10 million and return the remaining amount, in addition to the team ceasing the investigation.” Harmony has given the hacker until Monday to meet the deadline.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.