North Korean Hackers Stole $100 Million in Crypto Heist

The FBI has confirmed that North Korean hackers were behind the $100 million cryptocurrency theft from Harmony’s Horizon Bridge last June. The cybercriminal group known as Lazarus Group, backed by the North Korean regime, carried out the audacious digital heist.

The announcement verifies earlier findings by blockchain analysis firm Elliptic, the first to link the Harmony hack to North Korea based on similarities to previous attacks by the Lazarus Group.

The Horizon Bridge facilitates transfers between different blockchain networks. According to Bloomberg, hackers exploited the bridge on June 29th, 2022, and stole nearly $100 million in cryptocurrency. Security experts had previously warned that Horizon’s centralized structure made it vulnerable to social engineering attacks frequently used by the Lazarus Group.

Harmony Protocol's Horizon bridge was hacked and $100 million were drained earlier today.

The bridge was essentially a 2 of 5 multisig. If any 2 addresses told it to transfer funds to someone, it did.

The hacker compromised 2 addresses and made them drain the money. 🧵👇 pic.twitter.com/hv1JWDy9WQ

— Mudit Gupta (@Mudit__Gupta) June 24, 2022

After stealing the funds, the North Korean hackers laundered the stolen crypto through Tornado Cash, a mixer service used to obscure transaction trails. Elliptic researchers detected patterns matching the Lazarus Group’s methods from the $540 million Ronin Bridge hack, also laundered via Tornado Cash.

The U.S. Treasury subsequently sanctioned Tornado Cash in August 2022 due to its widespread use by the Lazarus Group and other criminal groups. Elliptic estimates over $555 million connected to North Korea flowed through the mixer, including $468 million from Ronin and $96 million from Harmony.

North Korean Hackers Shift Crypto Tactics

After Tornado Cash was sanctioned, the North Korean hackers appear to have shifted tactics. In January 2023, they began depositing a significant portion of the Harmony funds, around 70%, into Railgun – an alternative crypto-mixing service.

However, by representing such a large share of Railgun’s total volume, the North Korean transactions stood out and undermined the mixer’s anonymity protections. To use an analogy, it would be like throwing 70 pennies into a jar of only 30 pennies—making it easier to trace the origins.

Ultimately, the Lazarus Group deposited some of the laundered Harmony hack funds into Binance and Huobi exchanges. Both platforms have identified, blocked, and seized portions of the illicit crypto holdings.

This case highlights how law enforcement and blockchain analytics firms can still follow the money trail, even when mixed services are involved. It demonstrates crypto exchanges’ increasing capability to detect and seize funds linked to sanctioned entities like North Korea.

Related Reading | Solana Developers Roll Out Software Update to Tackle Network Congestion