FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist
Well played, feds. What's next? Ransomware is rampant? Strong passwords are important?
The FBI has confirmed what cybersecurity researchers have been saying for months: the North Korean-sponsored Lazarus Group was behind the theft last year of $100 million in crypto assets from blockchain startup Harmony.
Attackers on June 22, 2022, hit Harmony's Horizon Bridge – a cross-chain service used to transfer assets between Harmony's blockchain and other blockchains – and stole Ethereum, Wrapped Bitcoin, Binance Coin, and Tether.
In its January 23 statement on the matter, the FBI said the attack on Harmony was part of a North Korean malware campaign named "TraderTraitor."
The federal investigators said that on January 13, unnamed North Korean criminals used the privacy protocol Railgun to launder more than $60 million of Ethereum stolen during the Horizon Bridge hack and that a portion of the stolen Ethereum was then sent to several virtual asset service providers and converted to Bitcoin.
Some of the funds were frozen, while the remaining Bitcoin was sent to almost a dozen addresses. Two crypto exchanges – Binance and Huobi – froze the accounts used by Lazarus Group to launder the stolen Harmony assets.
The FBI is not the first to name Lazarus Group (aka APT28) as the perpetrator of the attack. In 2022, blockchain analytics outfit Elliptic linked the North Korean group to the Horizon Bridge incident after tracking the attacker's movements after the breach – including the conversion of most of the assets into 85,837 Ethereum using the Uniswap decentralized exchange.
The thief then moved the Ethereum into Tornado Cash – a mixer used to launder stolen crypto assets. By tracking the assets and looking at the Lazarus Group's interest in attacking decentralized financing (DeFi) services like cross-chain bridges – and its alleged connection with the theft of $620 million of crypto from Sky Mavis, maker of the Axie Infinity video game – Elliptic concluded that the Lazarus Group attacked Horizon Bridge.
- Crypto exchanges freeze accounts tied to North Korea’s notorious Lazarus Group
- Lazarus Group unleashed a MagicRAT to spy on energy providers
- Dutch authorities arrest 29-year-old dev with suspected ties to Tornado Cash
- Maui ransomware linked to North Korean group Andariel
The FBI has long said that the North Korean government uses crime – including stealing cryptocurrencies – to help fund its programs for ballistic missiles and weapons of mass destruction. The money helps the secretive regime get around strict economic sanctions imposed by the US and other countries for its provocative actions and human rights violations.
Cryptocurrency also helps cyber criminals to go about their business by making it easier for threat groups to receive and launder the proceeds of their campaigns.
Legitimate crypto and decentralized finance (DeFi) operations are often victims of those attacks. Blockchain research firm Chainalysis revealed that in the first four months of 2022, attackers stole $1.68 billion in crypto – more than 90 percent of that coming from DeFi outfits.
The FBI said it and other US agencies will continue to attack North Korea's cyber crime activities. The Treasury Department last year slapped sanctions on both Tornado Cash and another crypto mixer, Blender – in large part for their work helping the Lazarus Group launder stolen crypto assets. ®