While Bridge Horizon, the Harmony blockchain protocol that allows cryptocurrencies to be exchanged between different blockchains was recently attacked, light is slowly being shed on its origin. According to the firm specialized in on-chain analysis Elliptic, the North Korean hacker group Lazarus is behind the attack.
Clarifications on the Harmony Bridge hack
Horizon Bridge, Harmony’s protocol that allows cryptocurrencies to be transferred between different blockchains was recently attacked and suffered the loss of $100 million.
Two days later, the team in charge of the project announced that a reward of 1 million dollars would be paid to anyone who would have information allowing to trace the hacker. It seems that it is done.
Indeed, Elliptic, a company specialized in on-chain data analysis, would have succeeded in tracing the various transactions of the hackers, including through the cryptocurrency mixer Tornado Cash, a protocol widely used in hacks in order to blur the traces.
The latter hypothetically allows the mixing of different transactions made through its protocol before sending them back without it being possible to trace their origin. However, Elliptic has reportedly developed a solution to “de-mix” funds passing through Tornado Cash.
Thus, according to the company, the various transactions lead to different new Ethereum (ETH) wallets, and there are several clues that these could be wallets linked to the North Korean hacker group Lazarus.
The clues point in the same direction
First of all, let’s note that we are dealing here with concordant clues, and that at the moment, the Lazarus group has not been officially incriminated on this subject.
First of all, according to Elliptic, there is a redundancy in the targets chosen by Lazarus. In total, the group totals the equivalent of more than $2 billion stolen in the form of cryptocurrencies, and has been focusing on decentralized finance (DeFi) protocols for some time, and specifically bridges.
As such, the group is actually suspected of being responsible for the $620 million Ronin bridge hack, the largest hack in the cryptocurrency ecosystem to date. However, this is not an isolated case, as bridges are indeed very often implicated in major hacks, which highlights a certain fragility of cross-chain protocols.
Still according to Elliptic, the hackers would have perpetrated their action by attacking the multi-signature wallet system of Harmony’s employees. Again, this is a typical Lazarus strategy.
Furthermore, the funds sent to Tornado Cash appear to be transmitted automatically based on the regularity of the delay between each transaction, a similarity to the Ronin hack and other Lazarus-orchestrated hacks.
Finally, the only times when funds stopped being transferred were during the night time slots in the Asia-Pacific region. This is consistent with an attack originating from that geographic area.
This is an initial investigation, and Elliptic has announced that it will actively continue to monitor the movements of these portfolios.