According to researchers at Elliptic Connect, the $100 million in crypto assets stolen from Horizon Bridge might have been the work of the Korean Lazarus group.
On June 23, Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB worth almost $100 million in crypto were stolen from the Horizon Bridge.
Using the decentralized exchange UniSwap, these assets were converted to a total of 85,837 ETH.
On June 27, the thief began converting the ETH into Tornado Cash. Up to now, just over 35,000 Ether ($39 million) of the stolen funds have been sent to Tornado Cash, and the process is ongoing.
The thief is attempting to break the transaction trail back to the original theft by sending these funds through Tornado.
Using its Tornado demixing techniques, Elliptic traced the stolen funds through Tornado Cash to a number of new Ethereum wallets.
(Moreover, exchanges and other crypto businesses can use Elliptic’s transaction screening software to detect any incoming funds that originate from the Horizon Bridge Hack, despite the use of the Tornado Cash mixer.)
A thorough analysis of the stolen funds by Elliptic led them to conclude that the Lazarus group is behind this theft:
- The theft took place by compromising the cryptographic keys of a multi-signature wallet. This was likely made to happen through a social engineering attack on Harmony team members. Such techniques have been known to be used by the Lazarus Group.
- Lazarus Group has also been known to use APAC-based targets, perhaps for language reasons. Many of the Horizon’s core team had links to the APAC region.
- The deposits into Tornado are taking place regularly over an extended period of time, indicating an automated process.
- The short periods during which the stolen funds stopped being moved out of Tornado cash are consistent with APAC night time hours.
Read Also: US Agencies Advises Against North Korea’s Lazarus Hacking Group
