Over $60 million of ETH stolen during the heist was laundered on January 13, six months after the fact. That allowed the law enforcement agency to confidently identify the Lazarus Group and APT38—another North Korean cyber group—as the architects of the crime.
The hackers used RAILGUN, a privacy protocol, in an attempt to obscure their transactions. Even so, a portion of the funds were then frozen and recovered by exchanges when the hackers attempted to swap them for Bitcoin. Unrecovered funds were subsequently sent to 11 Ethereum addresses.
The FBI and its investigative partners will “continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs,” according to the announcement.
In the immediate aftermath of June’s Harmony hack, blockchain analysts tied the exploit to Lazarus Group using a combination of on-chain sleuthing and comparisons to previous hacks committed by the group. While the American government has been previously vocal about the threat posed by Lazarus Group, however, it did not formally accuse the entity of responsibility for the Harmony hack until today.
The hack targeted a cross-chain bridge connecting Harmony, a layer-1 blockchain, to Ethereum, Bitcoin, and Binance Chain. The strategy echoes previous attacks linked to Lazarus Group, including a massive $622 million hack last April of Ronin Network, an Ethereum sidechain used by play-to-earn crypto game Axie Infinity.
Since 2017, North Korean hacker groups including Lazarus Group and APT38 have stolen an estimated $1.2 billion worth of cryptocurrency, according to an Associated Press report.
“The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime,” the announcement read.
North Korea-affiliated cyber groups have also reportedly expanded their activities beyond hacks. In late December, a report argued that the Lazarus Group is also pretending to be venture capitalists, potential employers, and banks.
“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” according to a federal cybersecurity alert issued last April. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”
In response to these crypto-focused attacks, the American government has targeted coin-mixing services: tools that allow users to obfuscate the otherwise public trails of cryptocurrency transactions. In August, the Treasury Department banned Ethereum coin mixer Tornado Cash and numerous wallet addresses associated with the service, citing its use by Lazarus Group to launder funds from previous hacks as justification for the action.
The move was widely decried in the crypto community as an illegal overreach that unnecessarily threatened user privacy. An ongoing lawsuit helmed by crypto policy nonprofit Coin Center is challenging the ban.