North Korean hackers are most likely behind an attack last week that stole as much as $100 million in cryptocurrency from a US company, three digital investigative firms have concluded.
The cryptoassets were stolen on 23 June from Horizon Bridge, a service operated by the Harmony blockchain that allows assets to be transferred to other blockchains.
Since then, activity by the hackers suggests they may be linked to North Korea, which experts say is among the most prolific cyber attackers. UN sanctions monitors says Pyongyang uses the stolen funds to support its nuclear and missile programmes.
The style of attack and high velocity of structured payments to a mixer – used to obscure the origin of funds – is similar to previous attacks that were attributed to North Korea-linked actors, Chainalysis, a blockchain firm working with Harmony to investigate the attack, said on Twitter on Tuesday.
That conclusion was echoed by other investigators.
“Preliminarily this looks like a North Korean hack based on transaction behaviour,” said Nick Carlsen, a former FBI analyst who now investigates North Korea’s cryptocurrency heists for TRM Labs, a US-based firm.
There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds, another firm, Elliptic, said in a report on Thursday.
“The thief is attempting to break the transaction trail back to the original theft,” the report said. “This makes it easier to cash out the funds at an exchange.”
If confirmed, the attack would be the eighth exploit this year – totalling $1 billion in stolen funds – that could be attributed to North Korea with confidence, accounting for 60% of total funds stolen in 2022, Chainalysis said.
North Korea has poured resources into stealing cryptocurrencies in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency heists on record in March, in which almost $615 million was stolen, according to the U.S. Treasury.
North Korea’s ability to cash in on its stolen assets may have been complicated by the recent drop in cryptocurrency values, experts and South Korean officials told Reuters, possibly threatening a key source of funding for the sanctions-strapped country.
In 2019, sanctions monitors reported that North Korea had generated an estimated $2 billion for its weapons of mass destruction programmes using cyberattacks.
One estimate from the Geneva-based International Campaign to Abolish Nuclear Weapons says North Korea spends about $640 million per year on its nuclear arsenal. The country’s gross domestic product was estimated in 2020 to be around $27.4 billion, according to South Korea’s central bank.
Official sources of revenue for Pyongyang are more limited than ever under self-imposed border lockdowns to combat COVID-19. China – its biggest commercial partner – said in 2021 that it had imported just over $58 million in goods from North Korea, amid some of the lowest level of official bilateral trade in decades. Official numbers do not include smuggling.
North Korea already only gets a fraction of what it steals because it must use brokers willing to convert or buy cryptocurrencies with no questions asked, said Aaron Arnold of the RUSI think-tank in London. A February report by the Center for a New American Security (CNAS) estimated that in some transactions, North Korea only gets one-third of the value of the currency it has stolen.
After obtaining cryptocurrency in a heist, North Korea sometimes converts it to Bitcoin, then finds brokers who will buy it at a discount in exchange for cash, which is often held outside the country.
“Much like selling a stolen Van Gogh, you’re not going to get fair market value,” Arnold said.
(Edited by Georgi Gotev)