The FBI confirmed that a group of North Korean hackers known as Lazarus Group and APT38 were responsible for the June 24, 2022, Horizon bridge hack that looted Binance, Dai, Ethereum, Tether, and USD coins.
The agency said it successfully stopped the transfer of some stolen assets and subsequently published wallet addresses with purloined cryptocurrencies.
FBI freezes virtual assets stolen in the Horizon bridge crypto theft
The Horizon bridge enables crypto owners to transfer virtual assets between multiple blockchain networks.
According to the FBI, North Korean hackers used a privacy protocol called RAILGUN to launder $60 million in Ethereum stolen during the Horizon bridge hack. The FBI coordinated with platform operators and froze part of the loot, but hackers succeeded in transferring and converting some stolen virtual assets into Bitcoin.
“On Friday, January 13, 2023, North Korean cyber actors used Railgun, a privacy protocol, to launder over $60 million worth of Ethereum (ETH) stolen during the June 2022 heist,” the FBI said. “A portion of this stolen Ethereum was subsequently sent to several virtual asset service providers and converted to Bitcoin (BTC).”
The FBI also published a list of 11 wallets used to launder the crypto stash that North Korean hackers illegally acquired during the Horizon bridge crypto theft.
Harmony had unsuccessfully offered to drop all criminal charges and a $1 million bounty for the return of the stolen Horizon bridge funds.
North Korea’s billion-dollar crypto theft industry
A London-based blockchain analytics firm Elliptic had immediately attributed the Horizon bridge hack to the Lazarus group.
Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, said Lazaurus’ role in the Horizon bridge crypto theft was hardly surprising.
“Lazarus is known for stealing cryptocurrency by exploiting machine identities, so it’s no surprise that the Harmony attack has been attributed to it When disclosing the breach,” said Bocek. “Harmony provided evidence that its private keys – a core component of machine identity – were compromised, opening the door to Lazarus and enabling it to decrypt data and siphon off funds. This shows the power of machine identities falling into the wrong hands.”
US authorities, cybersecurity and crypto analysis firms have accused North Korea of stealing at least $1 billion in crypto assets. According to the South Korean government, North Korea earned $89 million from exports in 2020, making crypto theft among the country’s leading foreign exchange earners.
In 2022, the FBI attributed the $600 million Ronin network bridge crypto theft to the North Korean hacking group Lazarus. The Ronin crypto heist involved 173,600 Ether and 25.5 million in USD Coins and was the largest in history. The incident prompted the U.S. Treasury Department to impose sanctions on addresses that received the Ronin crypto loot banning Americans from trading with them.
Similarly, the New York City-based blockchain analysis firm Chainalysis accused Lazurus of stealing cryptocurrency worth $400 million in 2021. By Q3 2022, the analytics firm estimated that multiple threat actors, including Lazarus, had stolen over $2 billion in 13 cross-chain bridge hacks.
Meanwhile, the FBI affirms that US authorities are committed to identifying and disrupting North Korea’s theft and laundering of virtual currency that supports the regime’s ballistic missile and Weapons of Mass Destruction programs.
“Our research has also shown that attacks from North Korean threat groups – such as Lazarus – are often financial in nature,” Bocek added. “Cybercrime has become an essential cog in the survival of Kim’s dictatorship, enabling North Korea to evade international sanctions and fund its weapons programmes.”