The crypto detectives traced funds stolen by North Korean Lazarus Group through two mixers and various networks to identify 350 addresses where the funds remain today.
Crypto tracking platform MistTrack has followed funds taken in the Harmony bridge hack, publishing a list of 350 addresses associated with the attack. North Korea’s state-sponsored Lazarus Group is thought to be behind the hack. According to a Twitter thread posted on Jan. 23, the funds were transferred through various exchanges in an effort to elude trackers.
Funds in a number of tokens worth about $100 million were stolen from the Harmony bridge on June 23, then quickly swapped for Bitcoin (BTC), according to MistTrack, and returned to the wallet they had originally been transferred to. The bridge facilitates transfer between Harmony and the Ethereum network, Binance Chain and Bitcoin. Harmony offered $1 million for the return of the funds, but the offer was not accepted.
Rather, the hackers, who were later identified as the North Korean Lazarus Group, ran 85,700 Ether (ETH) through the Tornado Cash mixer and deposited them at several addresses, where they remained until Jan. 13, when they were transferred to a Railgun, a privacy system on Ethereum that provides anonymization. From there, they were transferred to the addresses identified.
New Updates on the Harmony Bridge Hack
On June 23rd of 2022, the Harmony bridge fell victim to a devastating attack that resulted in a loss of approximately $100 million.
— MistTrack️ (@MistTrack_io) January 23, 2023
Other funds were transferred to the Avalanche (AVAX) blockchain, where they were exchanged for Tether (USDT) or Tron’s USDD token, and eventually deposited into addresses on the Ethereum and Tron networks.
Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises
Some progress has been made on recovering the stolen funds. Binance CEO Changpeng Zhao (CZ) announced via Twitter on Jan. 15 that 121 BTC had been recovered from the Huobi exchange after Binance detected their presence there.
Harmony proposed minting new native ONE tokens to reimburse some of the 65,000 wallets that had suffered losses from the hack, but that idea proved unpopular and instead it announced a plan in September to reimburse the losses out of its treasury. In November, Harmony said it was adding seven coins from the compromised bridge that were unaffected by the hack to its new LayerZero bridge, thus making it possible for holders of the coins to move them off the network.
Additional reporting by Tom Blackstone.