Three digital investigation firms have concluded that North Korean hackers were most likely behind an attack last week that resulted in the theft of as much as $100 million in cryptocurrency from a U.S. company.
Horizon Bridge, a service operated by the Harmony blockchain that allows assets to be transferred to other blockchains, was compromised on June 23.
Since then, the activity of the hackers suggests they may have ties to North Korea, which is among the most prolific cyber attackers, according to experts. The monitors of UN sanctions assert that Pyongyang uses the stolen funds to fund its nuclear and missile programs.
On Tuesday, Chainalysis, a blockchain company working with Harmony to investigate the attack, said on Twitter that the attack’s style and the high velocity of structured payments to a mixer – used to conceal the origin of funds – are similar to previous attacks attributed to North Korea-linked actors.
This conclusion was supported by additional researchers.
“Based on transaction behavior, this appears to be a North Korean hack,” said Nick Carlsen, a former FBI analyst who now investigates North Korean cryptocurrency thefts for the American company TRM Labs.
Based on the nature of the hack and the subsequent laundering of the stolen funds, there are strong indications that North Korea’s Lazarus Group is responsible for this theft, according to a report published on Thursday by Elliptic.
The report stated, “The thief is attempting to trace the transactions back to the initial theft.” This facilitates the withdrawal of funds at an exchange.
If confirmed, this would be the eighth exploit this year, totaling $1 billion in stolen funds, that could be confidently attributed to North Korea, accounting for 60% of all funds stolen in 2022, according to Chainalysis.
In recent years, North Korea has poured resources into stealing cryptocurrencies, making it a formidable hacking threat and leading to one of the largest cryptocurrency heists on record in March, according to the U.S. Treasury.
North Korea’s ability to monetize its stolen assets may have been hampered by the recent decline in cryptocurrency values, experts and South Korean officials told Reuters, potentially jeopardizing a significant source of funding for the sanctions-stricken nation.
Cyberattacks generated an estimated $2 billion for North Korea’s weapons of mass destruction programs in 2019, according to sanctions monitors.
International Campaign to Abolish Nuclear Weapons of Geneva estimates that North Korea spends approximately $640 million annually on its nuclear arsenal. According to South Korea’s central bank, the country’s GDP is anticipated to be approximately $27.4 billion in 2020.
Pyongyang’s official revenue sources are more limited than ever due to self-imposed border closures to combat COVID-19. China, North Korea’s largest trading partner, reported in 2021 that it had imported just over $58 million worth of goods from the country, the lowest level of official bilateral trade in decades. Official statistics do not account for smuggling.
Aaron Arnold of the RUSI think tank in London stated that North Korea receives only a fraction of what it steals because it must use brokers willing to convert or purchase cryptocurrencies with no questions asked. According to a February report by the Center for a New American Security (CNAS), North Korea receives only one-third of the value of the stolen currency in some transactions.
After stealing cryptocurrency, North Korea sometimes converts it to Bitcoin, then finds brokers willing to purchase it at a discount in exchange for foreign currency.
