North Korean hackers launder $27M ETH from Harmony Bridge attack

Own this piece of history

North Korean exploiters behind the Harmony Bridge attack continue to launder the funds stolen in June 2022. According to on-chain data revealed on Jan. 28 by blockchain sleuth ZachXBT, the perpetrators moved another $27.18 million in Ethereum (ETH) over the weekend.

The tokens were transferred to six different crypto exchanges, noted ZachXBT in a Twitter thread, without disclosing which platforms had received the tokens. Three main addresses carried out the transactions.

According to ZachXBT, exchanges were notified about the funds transfer and part of the stolen assets were frozen. The movements made by the exploiters to launder the money were very similar to those taken on Jan. 13, when over $60 million was laundered, noted the crypto detective.

Whos active rn？

DPRK just finished laundering another $17.7m+ (11304 ETH) from the Harmony Bridge hack.

S/o to the exchanges who responded quickly on a weekend so funds could be frozen. pic.twitter.com/sUyUScHR4N

— ZachXBT (@zachxbt) January 29, 2023

The funds were moved a few days after the Federal Bureau of Investigation (FBI) confirmed the Lazarus Group and APT38 as the criminals behind the $100 million hack. In a statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmonys Horizon bridge.”

The Harmony Bridge facilitates transfer between Harmony and the Ethereum network, Binance Chain and Bitcoin. A number of tokens worth about $100 million were stolen from the platform on Jun. 23.

Following the exploit, 85,700 Ether was processed through the Tornado Cash mixer and deposited at multiple addresses. On Jan. 13, the hackers started shifting around $60 million worth of the stolen funds via the Ethereum-based privacy protocol RAILGUN. According to an analysis from crypto tracking platform MistTrack, 350 addresses have been associated with the attack through many exchanges in an attempt to avoid identification.

Lazarus is a well-known hacking syndicate that has been implicated in a number of key crypto industry breaches, including the $600 million Ronin Bridge hack last March.