Jan 24, 2023Ravie Lakshmanan
The U.S. Federal Bureau of Investigation (FBI) on Monday
confirmed that North Korean threat actors were responsible for the
theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge[1]
in June 2022.
The law enforcement agency attributed the hack to the Lazarus Group[2]
and APT38[3], the latter of which is
a North Korean state-sponsored threat group that specializes in
financial cyber operations.
The FBI further stated the Harmony intrusion leveraged an attack
campaign dubbed TraderTraitor[4]
that was disclosed by the U.S. Cybersecurity and Infrastructure
Security Agency (CISA) in April 2022.
The modus operandi entailed employing social engineering tricks
to deceive employees of cryptocurrency companies into downloading
rogue applications as part of a seemingly benign recruitment
effort.
“On Friday, January 13, 2023, North Korean cyber actors used
RAILGUN, a privacy protocol, to launder over $60 million worth of
ethereum (ETH) stolen during the June 2022 heist,” the FBI said[5]. “A portion of this
stolen ethereum was subsequently sent to several virtual asset
service providers and converted to bitcoin (BTC).”
A chunk of the stolen funds has been frozen in coordination with
virtual asset service providers, while the remaining bitcoin is
said to have been transferred to 11 different actor-controlled
wallets.
It’s worth noting that fund movement related to the Harmony One
hack was first uncovered[6]
last week by a blockchain researcher who goes by the online alias
ZachXBT. According to Binance founder Changpeng Zhao[7], 124 BTC (roughly $2.84
million as of writing) have been recovered after the transfers were
blocked.
A subsequent attempt to transfer the stash to another crypto
exchange called Huobi was also thwarted, Zhao said in a tweet[8]
shared on January 16, 2023.
Crypto tracking and anti-money laundering platform MistTrack, in
its own analysis, revealed[9]
that the ill-gotten gains were moved from the Bitcoin blockchain to
the Avalanche, Ethereum, and Tron networks via a cross-chain path
chosen to obfuscate the trail.
The cryptocurrency heists are part of malicious[10] cyber[11] activity[12] orchestrated by North
Korea’s intelligence apparatus, the Reconnaissance General Bureau,
to generate substantial revenue for the sanctions-hit nation by
stealing money from financial institutions (namely FASTCash and
BeagleBoyz).
The development also comes amid a string of ransomware attacks
targeting DNV[13], Costa Rica’s Ministry
of Public Works and Transport (MOPT[14]), University of Duisburg-Essen[15], and Yum! Brands[16] over the past few
weeks.
Data gathered by blockchain analytics company Chainalysis shows
that ransomware actors extorted at least $456.8 million from
victims in 2022, down from a high of $765 million and $766 million
in 2020 and 2021, respectively.
“However, that doesn’t mean attacks are down,” it said[17] in a report published
the previous week. “Instead, we believe that much of the decline is
due to victim organizations increasingly refusing to pay ransomware
attackers.”
Found this article interesting? Follow us on Twitter [18] and LinkedIn[19] to read more exclusive
content we post.
References
- ^
Harmony
Horizon Bridge (thehackernews.com) - ^
Lazarus
Group (thehackernews.com) - ^
APT38
(www.mandiant.com) - ^
TraderTraitor
(thehackernews.com) - ^
said
(www.fbi.gov) - ^
uncovered
(twitter.com) - ^
Changpeng Zhao
(twitter.com) - ^
tweet
(twitter.com) - ^
revealed
(twitter.com) - ^
malicious
(www.cisa.gov) - ^
cyber
(thehackernews.com) - ^
activity
(thehackernews.com) - ^
DNV
(www.dnv.com) - ^
MOPT
(www.micitt.go.cr) - ^
University of Duisburg-Essen
(www.uni-due.org) - ^
Yum!
Brands (www.yum.com) - ^
said
(blog.chainalysis.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/fbi-says-north-korean-hackers-behind.html