FBI: North Korean hacking group Lazarus behind $100 million crypto heist

The FBI accused the notorious North Korean hacker group Lazarus of stealing $100 million from a United States-based cryptocurrency firm last year. 

During a crypto heist at the end of June, Lazarus allegedly hacked Horizon Bridge, a service that allows people to move virtual assets between different blockchain networks and is owned by the blockchain company Harmony.

The FBI's statement on Monday is the first official attribution of the Horizon hack to a North Korean state-sponsored group. Researchers at blockchain analytics firm Elliptic linked it to Lazarus a few days after the incident.

According to the FBI, this is yet another case of North Korea’s theft and laundering of virtual currency that its government allegedly uses to support its ballistic missile and weapons of mass destruction programs.

“Cybercrime has become an essential cog in the survival of Kim’s dictatorship, enabling North Korea to evade international sanctions and fund its weapons programs,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“This means that any company that offers a financial gain to North Korean threat groups could be a target, particularly in the relatively unregulated cryptocurrency industry."

How the FBI identified culprits

The hackers exposed themselves while trying to launder the money stolen from Horizon. 

In January 2023, Lazarus began sending the funds through a privacy protocol called Railgun, which functions similarly to a cryptocurrency mixer service. Before that, Lazarus had used the now-sanctioned Tornado Cash mixer to hide its transaction trail, according to Elliptic

Elliptic’s research suggests that around 70% of funds that have been sent through Railgun to date came from the Harmony hack. 

However, the fact that funds from the Harmony hack comprised such a substantial volume of the Ether passing through Railgun renders the mixing ineffective, Elliptic said.

After sending the funds through Railgun – about $60 million worth of Ethereum, according to FBI, Lazarus deposited them into three crypto exchanges. Two of them, including Binance and Huobi, have announced that they have identified, blocked, and seized a portion of the funds, according to Elliptic.

The remaining $40 million in stolen bitcoin were moved to 11 cryptocurrency wallets, whose addresses were disclosed by the FBI.

How Lazarus hacked Horizon

According to the FBI, Lazarus used a malware dubbed TraderTraitor to carry out the attack. 

Lazarus typically spreads this malware through fake job ads posted on various social media platforms, supporting macOS and Windows operating systems, according to a researcher at blockchain security firm SlowMist who goes by 23pds on Twitter.

The hackers’ main targets are people involved in IT operations, software creation, and system administration at crypto companies, he said.

TraderTraitor then disguises itself as software for various cryptocurrency platforms in the hopes that Lazarus’ victims will download it.

After stealing $100 million from Horizon Bridge, hackers used a decentralized exchange called Uniswap to convert the Ethereum-based assets into a total of 85.8 ETH. “This is a common laundering technique used to avoid seizure of stolen assets,” according to Elliptic.

Then Lazarus began to move the ETH into the Tornado Cash mixer, which helps to hide the origin of the funds and makes it easier to cash out at an exchange, according to Elliptic.

The U.S. Treasury Department claims that Tornado Cash has been “used to launder more than $7 billion worth of virtual currency since its creation in 2019,” including nearly half a billion dollars stolen by Lazarus.

Lazarus crypto heist

Lazarus is believed to have stolen over $2 billion in crypto assets from crypto exchanges and decentralized finance services, according to Elliptic. For example, it is allegedly responsible for the $540 million hack of Ronin Bridge in April 2022.

The group typically compromises the cryptographic keys of a multi-signature wallet through social engineering attacks.

“Lazarus is known for stealing cryptocurrency by exploiting machine identities,” Bocek said. 

He added that Harmony provided evidence that its private keys — a core component of machine identity — were compromised, opening the door to Lazarus and enabling it to decrypt data and siphon off funds.

“This shows the power of machine identities falling into the wrong hands,” he said.

Jonathan Greig contributed reporting to this story. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.