Following the $100 million hack of the Harmony protocol in June 2022, the FBI announced Monday it has concluded that the North Korean hacker organization Lazarus Group was behind it.
Over $60 million of ETH stolen during the heist was laundered on January 13, six months after the fact. That allowed the law enforcement agency to confidently identify the Lazarus Group and APT38—another North Korean cyber group—as the architects of the crime.
It was reported that the hackers used RAILGUN, a privacy protocol, in an attempt to obscure their transactions. Despite this, a portion of the funds was frozen and recovered by exchanges when the hackers attempted to swap them for Bitcoin. The unrecovered funds were subsequently sent to 11 Ethereum addresses.
According to an announcement, the FBI and its investigative partners will “continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs.”
Blockchain analysts, in the immediate aftermath of June’s Harmony hack, tied the exploit to Lazarus Group using a combination of on-chain sleuthing and comparisons to previous hacks committed by the group.
The hack targeted a cross-chain bridge connecting Harmony, a layer-1 blockchain, to Ethereum, Bitcoin, and Binance Chain. The strategy echoes previous attacks linked to Lazarus Group, including a massive $622 million hack last April of Ronin Network, an Ethereum sidechain used by play-to-earn crypto game Axie Infinity.
The announcement added, “The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime.”
North Korea-linked cyber groups have also reportedly expanded their activities beyond hacks. In late December, it was suggested that the Lazarus Group is also pretending to be venture capitalists, potential employers, and banks.
“Intrusions begin with a large number of spear phishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” according to a federal cybersecurity alert issued last April. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”
