Monday, February 10, 2025
banner


Summary

  • The Horizon Bridge hacker sent over 98% of the $100 million in stolen cryptoassets to the Tornado Cash mixer.
  • Mixers like Tornado Cash are used to hide the transaction trail. However, Elliptic used its Tornado demixing ability to trace all stolen funds through Tornado and on to other wallets. Users of Elliptic’s solutions can now check wallets and transactions for links to stolen funds – even those that passed through Tornado.
  • There are strong indications that North Korea’s Lazarus group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in crypto assets from exchanges and DeFi services.

Updated: July 13, 2022

On the morning of June 24, over $100 million in cryptoassets was stolen from Horizon Bridge – a service that allows funds to be transferred between the Harmony blockchain and other blockchains.

The stolen crypto assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB. The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert Ethereum-based assets into a total of 85,837 ETH. This is a common laundering technique used to avoid confiscation of stolen property.

Tracing through Tornado Cash

On June 27, the thief began transferring ETH to Tornado Cash – a mixer often used to launder the proceeds of crime. He sent all ETH to Tornado continuously for the next six days.

By sending these funds through Tornado, the thief attempts to trace the transaction back to the original theft. This facilitates the withdrawal of funds at the exchange.

However, Elliptic successfully used its Tornado demixing techniques to trace the stolen funds through Tornado Cash to a number of new Ethereum wallets. As of July 13, none of the stolen funds sent via Tornado have been moved further.

This means that exchanges and other crypto businesses can use Elliptic’s transaction screening software to detect any incoming funds originating from the Horizon Bridge Hack, despite the use of the Tornado Cash mixer.

Horizon-hack1

Screenshot from An investigatorElliptic’s multi-asset crypto investigation software – showing stolen funds being sent via Tornado Cash to several new wallets.

Link to North Korea

Our analysis of the hack and subsequent laundering of stolen cryptoassets also indicates that it is consistent with the activities of the Lazarus Group – a cybercrime group with strong ties to North Korea. While no single factor proves Lazar’s involvement, combined they suggest the group’s involvement:

  • The Lazarus group has committed several major cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi services such as cross-chain bridges. For example, the group is believed to be behind the $540 million Ronin Bridge hack.
  • The theft was carried out by compromising the multi-signature wallet’s cryptographic keys – possibly via a social engineering attack on members of the Harmony team. Such techniques were often used by the Lazarus group.
  • Lazarus Group tends to focus on APAC-based targets, perhaps for linguistic reasons. Although Harmony is headquartered in the US, many of the core teams have ties to the APAC region.
  • The regularity of Tornado deposits over a long period of time suggests that an automated process is being used. We have observed a very similar program of money laundering stolen from Ronin Bridge, attributed to Lazar, as well as a number of other attacks linked to the group.
  • The relatively short periods during which stolen funds stop moving from Tornado Cash are consistent with APAC’s nighttime hours.

Elliptic will continue to track the stolen assets as the laundering progresses and will update its tools to reflect the movement of these assets.

Access our latest report covering DeFi risks and regulations. You can learn more about Investigator, Elliptic’s multi-asset crypto research software, here or contact us for a demo.

Do you find this interesting? Share on your network.



banner
crypto & nft lover

Johnathan DoeCoin

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar.

Follow Me

Top Selling Multipurpose WP Theme

Newsletter

banner

Leave a Comment

crypto & nft lover

John DoeCoin

Learn all about cryptocurrency and NFT, we publish news and interesting fauths from the world of crypto.

@2022 u2013 All Right Reserved. Designed and Developed by Evegal.com