The US Federal Bureau of Investigation (FBI) has confirmed that North Korea’s Lazarus Group and APT28 were behind the $100m theft from cryptocurrency firm Harmony revealed in June 2022.
Writing in its official blog on Monday, the Bureau said it spotted the North Korean cyber actors using the privacy protocol Railgun to launder over $60m worth of Ethereum (ETH) stolen during the heist.
“A portion of this stolen Ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” reads the post.
The FBI also said that while some of these funds were frozen (in coordination with some virtual asset service providers), the remaining Bitcoin eventually moved to 11 identified addresses.
“FBI Los Angeles and FBI Charlotte [...] continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and weapons of mass destruction programs,” the Bureau wrote.
According to Kevin Bocek, VP of security strategy and threat intelligence at Venafi, Lazarus is known for stealing cryptocurrency by exploiting machine identities, so the attribution of the Harmony attack is not surprising.
“When disclosing the breach, Harmony provided evidence that its private keys – a core component of machine identity – were compromised, opening the door to Lazarus and enabling it to decrypt data and siphon off funds. This shows the power of machine identities falling into the wrong hands.”
Further, Bocek explained that Venafi’s research showed that attacks from North Korean threat groups are often financial.
“Cybercrime has become an essential cog in the survival of Kim’s dictatorship, enabling North Korea to evade international sanctions and fund its weapons programs,” the security expert added.
“Any company that offers a financial gain to North Korean threat groups could be a target, particularly in the relatively unregulated cryptocurrency industry.”
The fact that the Lazarus Group may be behind the $100m Harmony hack was first suggested by blockchain analytics company Elliptic days after the breach was revealed.
More recently, the threat actors were associated with the exploitation of a Dell driver vulnerability and a series of macOS malware infections.