On the 16th of January 2023, ZackXBT, an on-chain detective on Twitter, posted about a $63.5 million hack by North Korean hackers.
1/2 North Korea’s Lazarus Group had a very busy weekend moving $63.5m (~41000 ETH) from the Harmony bridge hack through Railgun before consolidating funds and depositing on three different exchanges. pic.twitter.com/huDumaJeSh
— ZachXBT (@zachxbt) January 15, 2023
The Lazarus Group, a known North Korean hack group backed by their government, spent the weekend planning and executing an operation that lasted approximately 12 hours. The aim was to move around 41k ETH or $63.5 million from the Harmony bridge through a mixer into three centralized exchanges, including Binance and Huobi.
Harmony’s Horizon Bridge allows users to move their digital assets from one blockchain to another. The attack stole the assets through Railgun, utilizing more than 350 addresses. The Railgun system is built to achieve privacy on the chain in a shorter timeframe with less liquidity than other systems.
It’s built on popular blockchains like Ethereum, Binance Smart Chain, and Polygon. It utilizes Zero-knowledge cryptography to mask smart contract activities on the chain without relying on a separate layer of validators to achieve privacy.
By ensuring complete privacy on-chain, Railgun allows users access to all the projects, liquidity, and infrastructures without relying on a custodial bridge, replicating the natural DeFi experience users are familiar with. This means that the more transactions, lending, and swapping a user initiates, the more complicated the smart contract calls become and the less likely it is to associate a deposit with a withdrawal. And that was the aim of the hackers.
On the same day, CZ went on Twitter to share that they had previously identified and frozen the accounts of the Harmoney one hacker. They worked with Huobi and other centralized exchanges to freeze and recover 124 BTC.
We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered. CeFi helping to keep DeFi #SAFU! 🙏
— CZ 🔶 Binance (@cz_binance) January 16, 2023
But seeing as the funds were moved through Railgun, some users asked if the frozen funds were actually the same funds stolen or if random users were made to suffer for the actions of the Lazarus group.
Secondly, it’s still speculation that those responsible are actually the Lazarus group. Blockchain analysis provider, Elliptic provided the hypothesis since the mode of operation for this hack is similar to that of the Lazarus group. Though there’s no concrete evidence of their involvement, the attack was made by compromising the cryptographic keys of multi-signature wallets that require more than one private key to initiate transactions.
The technique is similar to the Ronin Bridge attack perpetuated by the Lazarus group against the popular game Axie Infinity. The attacker stole crypto assets, including Ethereum, BNB, Tether, USDC, and DAI.
