red 
The FBI has confirmed that the Lazarus Group – a group of cyber hackers backed by North Korea – was behind the hack of Harmony’s Horizon Bridge in June 2022. The announcement confirms Elliptic’s previous attribution of the $100 million hack to North Korea, which we first identified after numerous similarities to Lazarus were noted past blockchain laundering patterns.
This is a preview of our upcoming briefing note on tracking stolen funds from the Harmony Horizon Hack to North Korea, including the commingling of funds via Tornado Cash and Railgun.
Horizon – the cross-bridge serving the Harmony blockchain – was mined on June 24, 2022 for $99.7 million. Concerns have previously been raised that the bridge is too centralized, meaning it is particularly vulnerable to social engineering attacks – a common attack vector for the Lazarus group. Similar issues led to a criminal organization stealing over $540 million from another cross bridge called Ronin earlier in March 2022.
After stealing the funds from Horizon, the Lazarus group then programmatically structured the transactions through Tornado Cash, which is a decentralized Ethereum-based mixer. Elliptic researchers found that the laundering methods used mirror those used by the Lazarus group when trying to hide funds from the Ronin Bridge hack, which was also sent via Tornado Cash.
American sanctions
Tornado Cash was subsequently sanctioned by the US Treasury in August 2022, with Secretary of State Anthony Blinken citing its prolific use by the Lazarus Group to launder funds from its past hacks.
Elliptic’s research suggests that Lazarus Group sent more than $555 million through Tornado Cash from these hacks, including more than $468 million from the Ronin hack and $96 million from the Harmony hack. This North Korea-related activity accounts for approximately 5.8% of the nearly $9 billion in total funds sent through the Tornado Cash mixer to date.
Elliptic traced the stolen funds from the Horizon hack through Tornado Cash. Our upcoming briefing note will break down the methodology we used and how it ultimately helped ultimately attribute the exploit to the Lazarus group. Post-Tornado withdrawals were initially placed at several addresses, where they remained inactive until January 2023.
In January 2023, Lazarus began structuring funds into several deposits into a privacy-based DeFi protocol called Railgun, which functions similarly to a mixer. Elliptic previously identified Railgun as a major alternative to Tornado Cash following the sanctions against the latter. You can read more about Railgun – and other Ethereum-based privacy-enhancing solutions – in our note on Tornado Cash alternatives.
Railgun
Elliptic’s research suggests that a significant portion of the funds – estimated at around 70% – sent through Railgun to date are Harmony hack funds. This suggests that North Korea, following the OFAC sanctions on Tornado Cash, may be turning to lower obfuscation services as an alternative. However, the fact that the Harmony hack assets contained such a significant amount of ether passing through the Railgun makes mixing ineffective.
As an analogy, imagine if you dropped five pennies into a jar full of 100 pennies, it would be extremely difficult for someone to tell which pennies were yours.
However, if you throw 70 pennies into a jar with only 30 other pennies in it, then those 70 pennies would have a better chance of being associated with you. Mixers work in a similar way: when anonymity is set – or the volume of other funds in the mixer is small – it makes the mixer less effective at concealing disproportionately large transfers of funds.
On-chain data shows that after sending the funds via Railgun, Lazarus Group has since deposited the funds on three cryptoasset exchanges. Two of them, namely Binance and Huobi, announced that they had identified, blocked and seized some of the funds.
This case demonstrates the importance of a cryptoasset exchange that uses block analysis solutions to identify transactions involving mixing services abused by sanctioned actors such as North Korea.
Elliptic’s holistic wallet and transaction screening solutions enable our customers to identify and block transactions involving these mixing services, including where there may be sanctions implications – such as links to hacks by North Korea.
Contact us to learn more about how we can help your compliance team identify these risks with our blockchain analytics solutions.
