Cybercriminals’ push to launder $100 million from a June 23 crypto heist bears hallmarks of North Korean hacking operations, blockchain experts say, potentially marking the latest in a string of digital-currency thefts that U.S. officials fear could bankroll Pyongyang’s missile programs.
North Korean hackers this year already had plundered hundreds of millions in crypto, U.S. officials say, targeting a largely unregulated sector with sometimes haphazard cybersecurity. Last week’s theft from a crypto project known as Harmony would be the eighth such incident this year and bring the collective amount stolen to about $1 billion, according to blockchain analytics firm Chainalysis Inc.
Pyongyang-linked hackers for years have balanced traditional espionage operations with financially motivated cybercrime intended to support the regime, said Luke McNamara, a principal analyst at cybersecurity firm Mandiant Inc. The latter efforts previously targeted banks or financial infrastructure. But hackers have increasingly set their sights on crypto exchanges and, even more recently, decentralized financial projects, Mr. McNamara said. “DeFi” aims to supplant traditional lenders or brokerage firms by allowing peer-to-peer transactions across distributed public ledgers known as blockchains.
“They are incredibly creative. They are adaptive,” Mr. McNamara said. “They will find new ways to target this ecosystem.” Mandiant hasn’t determined who is behind the cyberattack on Harmony.
Harmony didn’t respond to requests for comment.
U.S. officials in recent months have pushed for stricter crypto regulations and enacted an array of sanctions intended to slow or stop stolen funds from aiding North Korea. But cybersecurity and blockchain experts warn that Pyongyang could continue to cash out at least some of its heists through a money-laundering strategy that relies on digital tools with limited oversight.
The concern is “that money could be used to fund nuclear weapons programs and ballistic missiles,” said Jim Gentile, a sanctions investigator with the U.S. Treasury Department, speaking at a New York crypto conference in May. The United Nations has also warned that Pyongyang could use stolen cryptocurrencies to fund such initiatives.
Phone calls Thursday to the North Korean embassy in London went unanswered. The U.S. Justice Department Thursday declined to comment on the Harmony hack.
In April, the Treasury Department, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warned of a North Korean-backed campaign targeting such crypto firms.
“The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime,” the FBI said at the time, referring to the Democratic People’s Republic of Korea.
In the Harmony incident, hackers targeted the crypto project’s bridge, a piece of software that allows users to transfer cryptocurrency across different blockchains. Two days after the hack, Harmony publicly offered the attackers $1 million to return the funds—a proposal it has since sweetened.
Nevertheless, the cybercriminals this week began a series of transactions that blockchain analysts say matches North Korean money-laundering techniques. Individuals with access to the Harmony crypto methodically sent increments of 100 Ether—worth roughly $100,000—into Tornado Cash, a mixing service that blends different crypto deposits to help obscure their sources.
“The attack vector & high velocity of structured payments to a mixer is similar to previous attacks” attributed to Pyongyang, Chainalysis said on Twitter Tuesday.
Elliptic Enterprises Ltd., another blockchain analytics firm, said in a blog post Wednesday that there are “strong indicators” that North Korean-linked hackers are behind the incident. Along with the rapid-fire Tornado Cash deposits and targeting of a decentralized financial project, Elliptic cited Harmony’s disclosure that hackers accessed its bridge by compromising its security keys.
In March, suspected North Korean hackers similarly breached a piece of bridge software used by the popular online game “Axie Infinity.” After pilfering users’ crypto worth roughly $540 million at the time, people with access to the funds funneled much of the score into Tornado Cash. The FBI attributed the theft to North Korea-linked groups.
Tornado Cash calls itself a privacy app that doesn’t technically hold users’ deposits as they are mixed with other funds.
“Tornado Cash has been a very reliable tool for North Korean hackers and launderers, as well as many other criminals,” said Jason Bartlett, who studies North Korean money laundering as a research associate at the Center for a New American Security, a think tank.
Tornado Cash didn’t respond to requests for comment. The tool’s website says its “initial developers have no control over it and are not running any servers.” Like many other decentralized financial projects, Tornado Cash is overseen by a loosely connected online community of individuals who hold tokens that give them an ability to vote on changes in governance.
Mixing services, which can be used for legitimate purposes, make tracking stolen funds more difficult but not impossible, said Ari Redbord, a former Treasury official who is now head of legal and government affairs at TRM Labs Inc., a blockchain-analytics firm.
In its blog post Wednesday, Elliptic said it has unscrambled the Harmony funds sent into Tornado Cash, allowing customers to screen transactions for potential links to the stolen crypto.
Harmony said on Twitter and in a blog post Wednesday that it had begun a “global manhunt” for the attackers by notifying crypto exchanges, calling law enforcement and enlisting blockchain analysts such as Chainalysis. Harmony also raised its previous offer of a reward.
“To associates of the actor: There is no honor amongst thieves,” said Harmony. “We are offering you $10M for information leading to the return of stolen funds.”
The deadline: July 4.
Write to David Uberti at david.uberti@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8