North Korean Lazarus hackers linked to $100M Harmony bridge theft

Researchers have linked Lazarus Group, a notorious North Korean state-backed hacking group, to the theft of $100 million in crypto assets from Harmony’s Horizon Bridge.

Last week, U.S. crypto startup Harmony warned of a “malicious attack” on its Horizon bridge, a cross-chain bridge that allows users to transfer their crypto assets from one blockchain to another. The attacker stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin and Dai.

London-based blockchain analysis provider Elliptic, which has published an analysis of the attack, writes that the hackers converted the stolen assets to 85,837 ETH following the hack through Tornado Cash, a mixer commonly used to launder illegally-obtained crypto. So far, the attacker has sent 35,000 ETH — worth $39 million, or about 41% of the total funds stolen — to Tornado Cash.

Chainalysis, another blockchain security firm that’s working with Harmony to investigate the hack, backed up Elliptic’s findings.

Elliptic linked the attack to Lazarus Group, saying the “hack and the subsequent laundering of the stolen crypto assets” is consistent with the activities of the North Korean hackers. It notes that while no single factor proves the involvement of Lazarus in the Horizon Bridge attack, the group has “perpetrated several large cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi [decentralized finance] services such as cross-chain bridges.”

In April, the U.S. Treasury Department linked the North Korea-backed hacking group to the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.

Elliptic notes that the attack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique commonly used by Lazarus Group, adding that the programming laundering of funds it observed following the Horizon Bridge hack was “very similar” to that seen following the Ronin Bridge attack.

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons,” Elliptic added, referring to the Asia-Pacific region. “Although Harmony is based in the US, many of the core team have links to the APAC region.”

In a series of tweets on Thursday, Harmony said that it has begun a “global manhunt” for the criminal(s) responsible for the $100 million theft. “All exchanges have been notified. Law enforcement, Chainalysis, and AnChainAI have active investigations to identify the responsible actors and recover the stolen assets,” it said. “We are providing one FINAL opportunity for the actor(s) to return stolen assets with anonymity.”

The company also offered the attacker a final ultimatum, pledging to drop its investigation if the funds were returned minus a $10 million bounty. Harmony is also offering $10 million for information leading to the safe return of the funds.

Hacker exploits Harmony blockchain bridge, loots $100M in crypto

A hacker has exploited a vulnerability to steal $100 million from Harmony’s Horizon Bridge, which allows users to transfer their crypto assets from one blockchain to another.

Harmony, the U.S. crypto startup behind Horizon, said in a blog post on Friday that it was notified of a “malicious attack” on its proprietary Horizon blockchain bridge on Thursday. Blockchain bridges, also known as cross-chain bridges, facilitate communication between different blockchains and allow users to send assets from one chain to the other. Using Harmony’s Horizon bridge, for example, users can move assets — including tokens, stablecoins, and NFTs — between Ethereum, Binance Smart Chain, and Harmony blockchains.

Harmony said the culprit of the attack — which the company singled out in a tweet — stole close to $100 million in cryptocurrency from its blockchain bridge.

According to blockchain analysis company Elliptic, a variety of crypto assets were taken, including Ethereum, Binance Coin, Tether, USD Coin and Dai. Elliptic added that the stolen tokens have now been swapped for Ethereum using decentralized exchanges — a “commonly-seen technique with these hacks,” it said.

Harmony said in its blog post that immediately following the attack, multiple cybersecurity partners, exchange partners, and the FBI were notified and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. “Further, the team has attempted communication with the hacker with an embedded message in a transaction to the culprit’s address,” the blog post read.

Harmony added that it had stopped the Horizon bridge to prevent further transactions. Harmony’s bridge for bitcoin was unaffected.

“This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us,” the blog post said. “Ongoing investigations present a challenge of what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.”

Harmony has not revealed exactly how the funds were stolen, and did not comment when contacted by TechCrunch.

However, one investor who goes by the handle Ape Dev had concerns about the security of its Horizon bridge as far back as April. The researcher warned on Twitter that the security of the Horizon bridge hinged on a multi-signature — or “multisig” — wallet that required just two signatures to initiate transactions. Multi-sig wallets require the consent of multiple parties for ensuring additional security on transactions.

“So all in all, if two of the four multi-sig signers are compromised, we’re going to see another 9 figure hack,” Ape Dev, founder of crypto venture fund Chainstride Capital, wrote on April 1. “Considering all that’s been going on lately, it’d be interesting to hear some details from @harmonyprotocol on how these [externally owned accounts] are secured,”

The Harmony bridge hack follows a series of notable attacks on other blockchain bridges. The Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, lost more than $600 million in March, an attack which U.S. officials have since linked to North Korean state-backed hacking group Lazarus. Similarly, decentralized finance  platform Wormhole lost almost $325 million to hackers in February after they exploited a security flaw in its smart contract code.

Iran to cut electricity to authorized crypto miners: report

Iran’s relationship with the crypto mining sector is a love-hate one. The government is again restricting crypto mining activity as it tries to ease the strain on the country’s power supply, despite knowing the promise of crypto as a way to evade international sanctions.

Electricity to all 118 government-authorized mining operators in Iran will be cut off from June 22 ahead of seasonal spikes in power demand, Mostafa Rajabi Mashhadi, spokesman for Iran’s power industry said in an interview with state TV, per a Bloomberg report.

Bitcoin has long been considered and used as a way for countries to circumvent trade embargoes. Iran is under sweeping sanctions by the US that effectively bars it from accessing the international financial system.

In 2019, Iran officially recognized the crypto mining industry and began issuing licenses to miners, which are required to pay higher electricity rates and sell their mined bitcoins to Iran’s central bank.

But the country has also repeatedly halted operations of crypto mining centers. The government ordered two shutdowns to mitigate pressure on its power infrastructure last year, during which electricity demand hit a record high.

Crypto mining was booming in Iran before the bans. Blockchain analytics firm Elliptic estimated in May last year that 4.5% of all Bitcoin mining took place in the country. That ratio was down to 0.12% as of January, according to the Cambridge Centre for Alternative Finance (CCAF).

Miners in other countries have shown defiance towards regulators. The crypto hash rate, which measures the computational power used by proof-of-work cryptocurrencies like Bitcoin, in China plummeted to zero between last July and August after the country carried out the harshest crackdown on crypto mining.

But the industry appeared to have revived quickly. In September, China accounted for 30% of the world’s crypto hash rate and in January, that ratio was at nearly 40%, second only to that of the US, according to CCAF.

The rebound indicated that underground mining might have been well underway in China, where crypto trading is also banned. “Access to off-grid electricity and geographically scattered, small-scale operations are among the major means used by underground miners to hide their operations from authorities and circumvent the ban,” said CCAF in an analysis.

The sudden drop and resurgence of China’s hash rate further suggested that its miners might have been covertly operating right after the ban by rerouting their data via proxy services, CCAF said. As time passed and the regulation set in, they might have become less wary about hiding their locations.

US officials link North Korean Lazarus hackers to $625M Axie Infinity crypto theft

U.S. officials have linked North Korean state-backed hacking group Lazarus to the recent theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular pay-to-earn game Axie Infinity. 

The Treasury Department’s Office of Foreign Assets Control (OFAC) on Thursday announced new sanctions against an Ethereum wallet belonging to Lazarus. Blockchain analysis firms Elliptic and Chainalysis have both confirmed that the U.S. Treasury’s wallet address is identical to the one used in the Ronin hack, which saw the attackers exploit the network for 173,600 ether, or about $597 million, and $25.5 million worth of the stablecoin USDC. The heist, which totaled $625 million at the time, is the largest decentralized finance hack to date, according to the DeFiYield REKT database, which tracks DeFi scams, hacks and exploits.

The wallet itself — which held 148,000 ether as of Thursday — was discovered by the FBI as part of its ongoing investigation of the threat posed by North Korea and state-sponsored actors like Lazarus Group. Blockchain analysis firm Elliptic estimated that 14% of the stolen funds had already been laundered, while another $9.7 million worth is in intermediary wallets in preparation for laundering.

The newly announced sanctions prohibit U.S. individuals and entities from making transactions with the identified Ethereum account. This ensures the state-sponsored group — which has previously been linked to a 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks — can’t cash out through U.S.-based crypto exchanges any further funds they continue to hold.

“Many commentators believe that crypto assets stolen by Lazarus Group are used to fund the state’s nuclear and ballistic missile programs,” Elliptic said. “With recent reports that North Korea may be again preparing for nuclear testing, today’s sanctions activity highlights the importance of ensuring that Lazarus Group is not able to successfully launder the proceeds of these attacks.”

In an updated post about the incident, the Ronin Network, which is owned by developer group Sky Mavis, said it expects to deliver a full post-mortem of the crypto-heist by the end of the month. 

“We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” Ronin says, adding that will bring its bridge back online “by the end of the month.” The bridge allows users to transfer funds between other blockchains and Axie Infinity and has been blocked off since the attack.

According to a recent report by blockchain analysis firm Chainalysis, North Korean hackers launched at least seven attacks on cryptocurrency platforms last year to steal almost $400 million worth of digital assets. As per the report, the Lazarus Group is suspected of carrying out the attacks.

Solidus Labs rakes in another $15 million as crypto risk-monitoring tools take off

Solidus Labs, a four-year-old, New York-based company that says its surveillance and risk-monitoring software can detect manipulation across cryptocurrency trading platforms, has raised $15 million in additional funding just six months after closing its Series A round with $20 million in funding. Liberty City Ventures led the newest tranche, joined by Exor Seeds and the crypto trading firm GSR.

We talked last week with firm cofounder and CEO Asaf Meier, who created the company with several former colleagues at Goldman Sachs, who worked with Meier on the firm’s electronic trading desk and came to quickly appreciate that a lack of compliance tools would be a barrier to the adoption of cryptocurrencies by bigger financial institutions.

Unsurprisingly, Meier said that since announcing that round, the company has “been hammered with different inbound prospects.” While earlier this year, Solidus was working mostly with exchanges, broker dealers, OTC desks, liquidity providers and regulators — anyone who is exposed to the risk of buying and selling digital assets — that pool ballooned pretty fast subsequently.

More specifically, he said Solidus has been hearing from more players who have ties to — and concerns about — the world of DeFi, or decentralized finance, made up of all kinds of non-custodial financial products, including (in Meier’s words) “automated market-making liquidity pools, lending networks, indexes, stable coins — there is a lot of demand coming from different directions.”

Why is this a new bucket of interest for Solidus Labs? Because it’s full of risk. Meier cites “rug pulls” and “sandwich attacks,” front running and “flash loan attacks,” and he observes that these are “just the tip of the iceberg.” And while he declines to name Solidus’s customers (which would reveal a lot about who is most concerned about this experimental space), he notes that if “DeFi doesn’t address widespread concerns about market integrity and consumer protection, it will not be able to deliver on its promise of better financial opportunities.”

Solidus isn’t alone in trying to help its customers identify and anticipate fraud. After all, every financial market is a target, and cryptocurrency markets are in many ways more vulnerable because there are still comparatively few regulations governing them.

That chaos has led the rise of Chainalysis, a seven-year old company whose blockchain analysis software flags regulatory risks to cryptocurrency exchanges, government agencies and financial institutions and was valued by its investors at $4.2 billion earlier this year after closing its most recent round of funding.

Another startup that is now selling blockchain compliance and data analytics to government agencies, financial institutions, researchers and investors called Elementus is also picking up traction. The crypto forensic outfit announced $12 million in Series A funding last month.

Elliptic, an eight-year-old, London-based outfit that similarly promises customers that it can identify illicit activity on the Bitcoin blockchain and that provides its services to financial institutions and law enforcement agencies, has also benefited from the massive uptick in interest in crypto and other digital assets. Last month, it announcing $60 million in new funding, including from SoftBank and Wells Fargo, a round that brings its total funding to roughly $100 million, per Crunchbase data.

There is seemingly plenty of room for growth for all, and indeed, Meier says that Solidus intends to operate as an independent company. Still, if that changed, the outfit would not be the first to sell to a deep-pocketed acquirer. Another rival in the space, six-year-old, Menlo Park, Ca.-based CipherTrace, had raised roughly $45 million from investors before deciding in early September to sell to Mastercard for undisclosed terms.

Elliptic banks $23M to shrink crypto risk, eyeing growth in Asia

Crypto means risk. To UK company Elliptic it also means business. The startup has just closed a $23M Series B to step up growth for a crypto risk-management play that involves selling tech and services to help others navigate the choppy darks of cryptocurrencies.

The round was led by financial services and asset management firm SBI Group, a Tokyo-based erstwhile subsidiary of SoftBank . Also joining as a new investor this round is London-based AlbionVC. Existing investors including SignalFire, Octopus Ventures and Santander Innoventures also participated. SBI Group’s Tomoyuki Nii and Ed Lascelles of AlbionVC are also joining Elliptic’s board.

Flush with a sizeable injection of Series B capital, Elliptic is especially targeting business growth at Asia — with a plan to open new offices in Japan and Singapore. It says client revenues in the region have risen 11x over the past two years.

We last spoke to Elliptic back in 2016 when it had just raised a $5M Series A.

The 2013-founded startup began by testing the crypto waters with a storage product before zeroing in on financial compliance as a pain-point worth its time. It went on to develop machine learning tech that screens transactions to identify suspicious patterns and, via them, dubious transactors.

Now it offers an integrated suite of products and services for financial institutions and crypto businesses to screen volumes of crypto-flows that sum to billions of dollars in transactions per day — analyzing them for links to illicit activity such as money laundering, terrorist financing, sanctions evasion, and other financial crimes.

It’s focused on selling anti-money laundering compliance, crypto forensics and cryptocurrency investigation services to the private sector — though has also sold tools direct to law enforcement agencies in the past.

Billions of dollars in financial services terms is of course just a tiny drop in a massive ocean of money movements. And growth in the crypto risk-management space has clearly required more than a little patience, from a startup perspective.

Three years ago Elliptic’s first blockchain analytics product had 10-20 Bitcoin companies as customers. That’s now up to 100+ crypto businesses and financial institutions using its products to shrink their risk of financial crime when dealing with crypto-assets. But the more three than year gap between Elliptic’s Series A and B is notable.

“To date, we’ve focused on product development and assembling the right team as the market has matured. This new funding will help us expand in the right way, namely by making the push into Asia without diluting our focus on the US and EMEA,” says co-founder and CEO James Smith when asked about the gap between financing rounds.

He declines to comment on how far off Elliptic is from achieving breakeven or profitability yet.

“We provide best-in-class transaction monitoring products for crypto-assets, which are trusted by crypto exchanges and financial institutions worldwide,” he adds of its product suite. “Our products are used as key components of larger compliance processes that are designed to minimise money laundering risks.”

With the addition of SBI Group to its investor roster Elliptic gains a strategic partner in Asia to help push what it dubs “bank-grade risk data” at a new wave of established financial institutions it believes are eyeing crypto with growing appetite for risk as larger players wade in.

Larger players like Facebook . Elliptic’s PR name-drops the likes of Facebook’s Libra cryptocurrency, Line Corporation’s LINK and central bank digital currencies, as markers of a rise in mainstream attention on crypto assets. And it says Series B funds will be used to accelerate product development to support “an emerging class of asset-backed crypto-assets”.

Regulatory attention on crypto — which has been rising globally for years but looks set to zip up several gears now that Facebook has ripped the curtain off of an ambitious global digital currency plan which also has buy-in from a number of other household tech and fintech names — is another claimed feed in for Elliptic’s business. More crypto implies growing risk.

It also points to the intergovernmental Financial Action Task Force’s global regulatory framework for crypto-assets as an example of some of the wider risk-based requirements and now wrapped around those dealing in crypto.

The focus on Asia for business expansion is a measure of relative maturity of interest in opportunities around crypto-assets and localized attention to regulation, according to Smith.

“Revenue growth is certainly very strong in this region. We have been working with customers in Asia for a number of years and have seen first-hand how vibrant their crypto-asset ecosystems are. Countries such as Singapore and Japan have developed clear crypto-asset regulatory frameworks, and businesses based in these countries are serious about meeting their compliance obligations,” he says.

“We have also found that traditional financial institutions in Asia are particularly keen to engage with crypto-assets, and we will be working with them as they take their first steps into this new asset class.”

“We believe that crypto-assets will play an increasingly important role in our everyday lives and are shaping the future of banking. Our investment in Elliptic is a further commitment to this belief and to SBI Holding’s appetite to help build the digital asset-related ecosystem,” adds Yoshitaka Kitao, CEO of the SBI Group, in a supporting statement.

“Elliptic’s pioneering approach is enabling the transparency, integrity, and trust necessary for this vision to become reality. We are seeing a growing demand for their services across our portfolio of crypto-assets related companies and view Elliptic as best-placed to meet this considerable opportunity.”

While Elliptic’s business is focused on reducing the risk for other businesses of inadvertently transacting with criminals using crypto to launder money or otherwise shift assets under the legal radar, the proportion of transactions that such illicit activity represents in the Bitcoin space represents a tiny fraction of overall transactions.

“According to our analysis, approximately $1BN in Bitcoin has been spent on the dark web, so far in 2019, on items ranging from narcotics to stolen credit cards. This represents a very small share of all Bitcoin activity — less than 0.5% of Bitcoin payments over this period,” says Smith.

Not that that diminishes the regulatory risk. Nor, therefore, the business opportunity for Elliptic to sell support services to help others avoid touching the hot stuff.

“Crypto money launderers are continually developing new techniques to cover their tracks — from the use of mixers to transacting in privacy coins such as monero,” Smith adds. “We are also constantly innovating to keep pace with this and help our clients to detect money laundering. For example our work with researchers from MIT and IBM demonstrated the application of deep learning techniques to the identification of illicit crypto-asset transactions.”