The $100 Million Horizon Hack: Following the Trail Through Tornado Cash to North Korea

By Elliptic Team

July 1, 2022

Summary

The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen cryptoassets into the Tornado Cash mixer.
Mixers such as Tornado Cash are used to hide the transaction trail. However, Elliptic has used its Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets. Users of Elliptic’s solutions can now screen wallets and transactions for links to the stolen funds – even those that have passed through Tornado.
There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services.

On the morning of June 24th, over $100 million in cryptoassets was stolen from Horizon Bridge – a service that allows assets to be transferred between the Harmony blockchain and other blockchains.

The stolen cryptoassets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB. The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH. This is a common laundering technique used to avoid seizure of stolen assets.

Tracing Through Tornado Cash

On June 27th, the thief began to move the ETH into Tornado Cash – a mixer that is often used to launder proceeds of crime. So far, just over 35,000 Ether ($39 million) of the stolen funds has been sent to Tornado Cash, and the process is ongoing.

By sending these funds through Tornado, the thief is attempting to break the transaction trail back to the original theft. This makes it easier to cash out the funds at an exchange.

However, Elliptic has successfully used its Tornado demixing techniques to trace the stolen funds through Tornado Cash to a number of new Ethereum wallets. This means that exchanges and other crypto businesses can use Elliptic’s transaction screening software to detect any incoming funds that originate from the Horizon Bridge Hack, despite the use of the Tornado Cash mixer.

The Link to North Korea

Our analysis of the hack and the subsequent laundering of the stolen cryptoassets also indicates that it is consistent with activities of the Lazarus Group – a cybercrime group with strong links to North Korea. Although no single factor proves the involvement of Lazarus, in combination they suggest the group’s involvement:

The Lazarus Group has perpetrated several large cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi services such as cross-chain bridges. For example, the group is believed to be behind the $540 million hack of Ronin Bridge.
The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.
Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons. Although Harmony is based in the US, many of the core team have links to the APAC region.
The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.
The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with APAC nighttime hours.

Elliptic will continue to monitor the stolen funds as the laundering progresses, and will update its tools to reflect the movement of these assets.