Blockchain analytics enterprise Elliptic recommended North Korea’s Lazarus Team could be behind last week’s $100m theft from cryptocurrency firm Harmony.
In an advisory launched on Wednesday, the security authorities confirmed Harmony’s first claims that the cash had been stolen by Horizon Bridge, a system enabling the transfer of cryptocurrency across blockchains.
“The stolen crypto-belongings involved Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB,” reads the doc.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“The thief promptly made use of Uniswap – a decentralized trade (DEX) – to change a lot of these belongings into a complete of 85,837 ETH. This is a widespread laundering system made use of to avoid seizure of stolen belongings.”
Elliptic reportedly tracked the ETH and observed the risk actors begun relocating it into Tornado Cash – a software that is typically applied to launder proceeds of crime.
“So considerably, just about 35,000 Ether ($39 million) of the stolen cash has been despatched to Tornado Income, and the approach is ongoing,” the security scientists wrote.
“By sending these money by means of Twister, the thief is attempting to split the transaction trail back again to the authentic theft. This can make it simpler to dollars out the funds at an trade.”
Irrespective of these makes an attempt, nonetheless, Elliptic explained it managed to use Twister demixing approaches to trace back the stolen cash to a variety of new Ethereum wallets.
“Our investigation of the hack and the subsequent laundering of the stolen crypto-assets also implies that it is steady with activities of the Lazarus Group – a cybercrime group with solid one-way links to North Korea.”
According to the cybersecurity authorities, when the Lazarus connection are not able to be established unequivocally, there are different indicators suggesting the group may possibly be driving the hack.
One particular of them refers to similarities involving the tactics behind the Harmony attack and the $540m hack of Ronin Bridge, which was eventually traced back to North Korea.
Additional clues linking the team to the Harmony hack consist of the simple fact that theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet, the choice of APAC-primarily based targets (Harmony is primarily based in the US, but numerous of the core crew have back links to the APAC region) and the apparent use of automatic processes to move funds into Twister.
“Elliptic will continue on to keep an eye on the stolen money as the laundering progresses, and will update its resources to replicate the motion of these property,” Elliptic concluded.
Some components of this short article are sourced from:
www.infosecurity-magazine.com