Recently, the Horizon bridge suffered an attack, leading to the theft of over $100 million in crypto assets. The stolen cryptocurrencies included Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.
Popular blockchain analysis firm Elliptic has followed the trail of money to provide a complete glimpse of how the cash was moved.
On June 24th, the $100 million in cryptocurrency was stolen from Horizon Bridge. Horizon Bridge is a service that enables the transfer of assets between the Harmony blockchain and other blockchains.
The thief promptly converted a large portion of these valuables into 85,837 Ethereum tokens (ETH) via the decentralized exchange (DEX), Uniswap. This is a typical method of laundering to evade the confiscation of stolen property.
On June 27, the attacker started moving the Ethereum into Tornado Cash; a mixer frequently used to launder criminal gains. So far, just over 35,000 Ethereum ($39 million) has been pumped into Tornado Cash.
The hacker attempted to obliterate the transaction trace linking the crypto to the initial theft by transferring them through Tornado. As a result, it is simpler to withdraw money from an exchange.
However, Elliptic has successfully followed the stolen crypto through Tornado Cash to several new Ethereum wallets using its Tornado demixing capabilities. This implies that, despite using the Tornado Cash mixer, exchanges and other cryptocurrency firms may utilize Elliptic’s transaction screening software to identify any incoming money that came via the Horizon Bridge Hack.
Stolen crypto now in North Korea?
According to Elliptic’s investigation, the Lazarus group may have been involved in the attack. Although no single factor points to Lazarus, a combination of various aspects points to the group.
The Lazarus Group has stolen over $2 billion worth of crypto in numerous crimes. It has lately started focusing on DeFi services like cross-chain bridges. For instance, the $540 million Ronin Bridge attack is thought to have been orchestrated by the gang.
Moreover, the Lazarus group tends to focus on Asia-Pacific regions. Although Harmony is based in the US, many core team members have links to the Asia-Pacific region.
Additionally, the consistency of the crypto deposits into Tornado over long periods indicates the employment of an automated method. This is similar to the process used during the Ronin hack.
Lastly, the brief intervals when the money is no longer transferred out of Tornado cash are compatible with Asia-Pacific nighttime hours.
These points point to the Lazarus group being the culprit behind the attack. Moreover, North Korea’s holdings have significantly diminished after the recent crypto crash. It would make sense that the sanctioned nation needs more funds for its weapons programs.