The FBI confirms that the North Korean state-sponsored hacking groups, Lazarus and APT38, are responsible for the crypto theft of $100 million worth of Ethereum. Ethereum belonged to Harmony Horizon in June 2022. Harmony Horizon is a cross-chain bridge for Ethereum. It suffered a breach in June 2022. It allowed hackers to assume control of a MultiSigWallet contract. They use it to transfer large amounts of tokens to their own addresses.
Certik, a cybersecurity firm, released a report detailing the technical aspects of the crypto theft. The report includes the steps that the hackers took to siphon millions of dollars worth of Ethereum. The FBI was able to confirm the involvement of Lazarus and APT38 in the attack. It was possible because of the group’s laundering efforts last week.
Links to North Korea
Both Lazarus and APT38 have links to the Democratic People’s Republic of Korea (DPRK). They have a history of stealing cryptocurrency assets on behalf of the government. The FBI states that North Korean hacking groups steal and launder virtual currency to support their country’s ballistic missile and weapons. This is part of mass destruction programs.
On January 13th, the hackers attempted to move 41,000 ETH ($63.5 million) through Railgun before depositing the funds to many addresses in three cryptocurrency exchanges. At least 350 of these addresses are certain as being under the direct control of the Lazarus group. The hackers then converted some of these moved funds to Bitcoin. FBI seized an undefined portion by working closely with virtual asset service providers. The FBI has also provided the Bitcoin addresses where the remaining converted funds are now stored:
Bitcoin addresses identified in crypto theft
- 1BK769SseNefb6fe9QuFEi8W4KGbtP8gi3
- 15FcqYRbwh2JsRUyBjvZ4jJ2XAD3pycGch
- 1HwSof6jnbMFpfrRRa2jvydYdopkkGB4Sn
- 15emeZ7buVegqhYh9PekH7cwFEJcCeVNpS
- 3MSbCJCYtx5sj1nkzD4AMEhhvvviXBc8XJ
- 17Z79rZpkk8kUiJseg5aELwYKaoLnirMUn
- bc1qp2vvntdedxw4xwtyd4y3gc2t9ufk6pwz2ga4ge
- 3P9WebHkiDxCi8LDXiRQp8atNEagcQeRA3
- 37fnBxofDeph2fpBZxZKypNkwdXAt9nT6F
- 185NxhFAmKZrdwn9rVga3kqbvDP4FkbTNw
- 12283Cq1pJ3f1gXwqi6K3bRf5LZb8Bkm6g
At the time of the attack, Binance and Huobi announced that they had managed to intercept 124 BTC stolen from Harmony Horizon, which was worth approximately $2.5 million. Furthermore, all accounts used in the laundering actions were frozen.
North Korean hackers have a long history of targeting cryptocurrency companies to steal assets to fund their country’s initiatives. Lazarus began targeting cryptocurrency users by spreading trojanized cryptocurrency wallets and trading apps to steal victims’ wallets. In April 2022, the U.S.