The Lazarus Group a North Korean hacking group believed to be supported by the Kim regime – is likely behind last week’s hack of Harmony Bridge, according to a new analysis by blockchain research firm Elliptic.

Lazarus Group is suspected of the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022.

North Korean hackers grew increasingly in 2021 they stole an estimated $400 million, mostly in ether. The total for 2022 has already far surpassed that figure.

The finding comes as Harmony confirmed that its Horizon Bridge, a platform that allows users to move cryptocurrency across different blockchains, had been breached last week.

Hackers Begin Laundering Stolen Ethereum

The incident involved the exploiter carrying out multiple transactions on June 23 that extracted tokens stored in the bridge and subsequently made away with about $100 million in cryptocurrency.

The hackers sent three transactions from the address used in the June 23rd hack totaling around 30K ETH (around $36 million) to the mixing service Tornado Cash, with $64 million still in the hacker’s Ethereum wallet, according to blockchain analysis by the blockchain security company.

According to Elliptic, the attackers converted the stolen assets to 85,837 ETH following the hack and, beginning on June 27th, began to send some of the ETH through Tornado Cash, a mixer commonly used to launder illegally-obtained crypto. So far, approximately 35,000 ETH – 41% of the total funds stolen – have been sent to Tornado Cash.

Exploit of the Harmony protocol

Though initially reported as an exploit of the Harmony protocol, the company has since declared that it has “found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform.”

Harmony Protocol offered $10 million for the return of the bridge funds, saying on Twitter that the company would not advocate for criminal charges if the funds were returned by July 4, 2022, 11 p.m. GMT. 

Harmony has since notified all cryptocurrency exchanges and involved law enforcement and blockchain forensic firms to help in the recovery of stolen assets. 

After the hack, Harmony assured its users that the theft did not impact its BTC bridge and that the company was working with national authorities and forensic specialists to identify the culprit and retrieve the funds. In addition, Harmony increased its security measures.

Elliptic’s analysis highlights that the Harmony Bridge hack that point to the Lazarus Group, including the automated deposits into Tornado Cash that mimic programmatic laundering of the Ronin Bridge funds, as well as the timing of the theft, which correlates with Asia-Pacific (APAC) nighttime hours.

“The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with [Asia-Pacific] nighttime hours, Elliptic added. “Although no single factor proves the involvement of Lazarus”.