The FBI is pinning the blame for a $100 million cryptocurrency heist last June on the Lazarus Group, a team associated with the North Korean government that is notorious for stealing cryptocurrency to help support that country’s military and weapons programs.
On Tuesday, the FBI released a statement identifying Lazarus Group, also known as APT38, as the culprit for the June 24 attack on the Harmony Horizon bridge that resulted in the loss of $100 million in Ethereum. The Harmony Horizon bridge is a connection between various cryptocurrency systems, specifically Harmony and Ethereum, Bitcoin, and Binance Chain. In June, attackers were able to gain access to the bridge and make off with the Ethereum.
“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” Harmony said at the time of the incident.
The FBI, along with the Department of Justice’s National Cryptocurrency Enforcement Team, and various United States attorney’s offices has been investigating the Harmony heist and on Tuesday said that the Lazarus Group was responsible for the attack and had used its malware tool known as TraderTraitor as part of the operation.
“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” the FBI said in a statement.
“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist."
The Lazarus Group has been operating for many years and is closely associated with the government of North Korea and typically operates in support of the government’s interests. The group’s best-known operation was an attack on the Bank of Bangladesh in 2016 that netted it $81 million and Lazarus has continued to target banks and crypto exchanges in the ensuing years.
TraderTraitor is actually a group of tools that Lazarus Group uses in many of its intrusions at cryptocurrency firms, exchanges, and other targets. Those operations often start with the attackers sending phishing emails to employees at a target firm, trying to entice them into downloading a file that includes the malware.
“The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor’,” CISA said in an advisory in April.
“The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”
The Lazarus Group has used TraderTraitor in a number of intrusions and has found quite a bit of success with it. They also have used other tools, including an older macOS backdoor called AppleJeus.
“The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” the CISA advisory says.
The FBI said it worked with some of the exchanges to which the Lazarus Group moved the Bitcoin from the Harmony intrusion to freeze those assets.