This is the latest in a spate of high-profile cyber heists from the Kim Jong-un regime, it added.
The analysis came out a week after California-based crypto firm Harmony on June 24 publicly confirmed that unidentified hackers had stolen cryptocurrency amounting to around $100 million from the key service called Horizon Bridge, which is a blockchain bridge developed by the company.
The service, also known as a cross-chain bridge, connects two blockchains and allows users to transfer cryptocurrencies between different blockchains, such as binance chain, bitcoin and ethereum.
The stolen cryptocurrencies included binance coin, ethereum, tether and wrapped bitcoin.
The hacker group immediately swapped much of the crypto assets into a total of 85,837 ethers by utilising Uniswap, which is a decentralised exchange protocol operating on the ethereum blockchain, according to Elliptic.
Decentralised exchanges are widely used by hackers to launder cryptocurrency to avoid confiscation of stolen assets, given that the platform enables users to privately exchange cryptocurrencies with one another without a centralised intermediary or involving order books.
On June 27, the thieves responsible for the heist began to send the etherum deposits to Tornado Cash, which is a mixer that has been widely used to launder illicit crypto funds.
A cryptocurrency mixer is a software tool that pools and scrambles cryptocurrencies from thousands of addresses to obfuscate and conceal the flow of transactions.
Elliptic analysed that just over 35,000 ethers, amounting to $39 million, of the stolen cryptocurrency assets had been moved to Tornado Cash, and the process is ongoing. The attempt makes it easier for cyber thieves to cash out the illicit cryptocurrencies at a crypto exchange.
Lazarus Group behind cybertheft
Elliptic said North Korea’s state-sponsored Lazarus Group is believed to be responsible for the latest high-profile heist targeting the blockchain bridge in light of the hacking and laundering techniques employed.
The US-sanctioned Lazarus Group is controlled by North Korea’s primary intelligence bureau, the Reconnaissance General Bureau. The hacking group has been credited with major cyberattacks, including the 2017 WannaCry ransomware attacks and 2014’s Sony Pictures hack.
“Our analysis of the hack and the subsequent laundering of the stolen crypto assets also indicate that it is consistent with activities of the Lazarus Group – a cybercrime group with strong links to North Korea,” Elliptic said.
“Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement.”
Specifically, the hackers compromised the cryptographic keys of a multisignature wallet – which is meant to maintain the confidentiality of digital assets – likely through social engineering attacks on team members at Harmony. The Lazarus Group has frequently utilised such techniques.
The group also tends to concentrate on targets based in the Asia-Pacific region, Elliptic reported, adding that language could be one main reason. A majority of the core team at Harmony have links to the region.
Elliptic also pointed to the regularity of moving ethereum deposits into the Tornado Cash mixer likely through an automated process as further grounds. The pattern is “very similar” to the programmatic laundering of funds that was observed from the recent heist on the Ronin Bridge and several other attacks associated with the group.
The Lazarus Group’s recent shift to focus on attacking decentralised finance platforms such as blockchain bridges was cited as the main reason for the assessment.
Some $625 million worth of cryptocurrency theft from Axie Infinity’s proprietary Ronin blockchain bridge in March was attributed to the shadowy group by the US Treasury Department.
Harmony said on Wednesday it had initiated a global manhunt for the criminals. US law enforcement and the company’s partners at Chainalysis and AnChain.AI are investigating to identify the individuals responsible for the cybercrime and to recover the stolen assets.
But the US crypto firm announced it would cease the investigation if the thieves returned all but $10 million of the cryptoassets, giving a Monday deadline to initiate dialogue.
North Korean state-sponsored cryptocurrency thefts have been cited as a fundamental part of the country’s illicit financing activities to fund its nuclear and missile programmes.
North Korea-affiliated hackers also stole nearly $400 million worth of digital assets last year, the New York-headquartered Blockchain data platform Chainalysis said in February in its annual report.
Coincub, an Ireland-based crypto exchange aggregator, said on June 27 that North Korea is estimated to have earned almost $1.6 billion from at least 15 distinct cases of crypto crimes between 2017 and 2022.
The illicit proceeds accounted for 10 per cent of North Korea’s gross domestic product for 2021, the largest portion in the world, the company said in its report on the annual crypto crime ranking.
The Korean Herald
Asia News Network
Asia News Network: The Nation (Thailand), The Korea Herald, The Straits Times (Singapore), China Daily, Jakarta Post, The Star and Sin Chew Daily (Malaysia), The Statesman (India), Philippine Daily Inquirer, Yomiuri Shimbun and The Japan News, Gogo Mongolia, Dawn (Pakistan), The Island (Sri Lanka), Kuensel (Bhutan), Kathmandu Post (Nepal), Daily Star (Bangladesh), Eleven Media (Myanmar), The Phnom Penh Post and Rasmei Kampuchea (Cambodia), The Borneo Bulletin (Brunei), Vietnam News, and Vientiane Times (Laos).