The Federal Bureau of Investigation has officially confirmed that North Korea’s notorious Lazarus Group, also tracked as APT38, was responsible for the devastating $100 million theft from Harmony’s Horizon Bridge in June 2022. The announcement, made in late January 2023, validates earlier attributions by blockchain analytics firms and sheds new light on how state-sponsored cybercriminals continue to exploit weaknesses in cross-chain infrastructure.
The Exploit Mechanics
The Horizon Bridge, which enabled token transfers between the Harmony blockchain and other networks including Ethereum and Binance Chain, suffered a catastrophic breach on June 24, 2022. The attacker exploited what security researchers had previously flagged as an over-centralized architecture. The bridge relied on a multisig wallet with only a small number of validators — a design that made it particularly susceptible to social engineering attacks, the Lazarus Group’s signature method.
According to Elliptic’s analysis, the hacking collective executed a carefully planned attack that netted approximately $99.7 million in various cryptocurrencies. The stolen assets included ETH, BNB, USDT, and other tokens that were locked on the bridge. The attackers compromised the multisig validation mechanism, effectively gaining control of the bridge’s smart contracts and draining the locked liquidity pools.
This attack bore striking similarities to the Ronin Bridge exploit from March 2022, also attributed to Lazarus, which resulted in the theft of over $540 million. In both cases, the centralized nature of the bridge’s validation system proved to be the critical vulnerability. Bitcoin traded at approximately $23,774 at the time of the FBI announcement, while Ethereum hovered around $1,646 — both significantly higher than during the original hack, meaning the stolen assets had appreciated considerably.
Affected Systems
The fallout from the Harmony Horizon Bridge hack extended far beyond the immediate $100 million loss. The breach exposed systemic weaknesses in cross-chain bridge architecture that had become commonplace across the DeFi ecosystem. At least a dozen other bridges operated with similarly centralized multisig setups, creating a broad attack surface for sophisticated threat actors like the Lazarus Group.
Harmony’s ONE token experienced a sharp decline in the aftermath of the hack, losing significant market confidence. The project’s decentralized application ecosystem suffered as total value locked on the platform plummeted. Users who had entrusted their assets to the bridge faced total losses with no clear path to recovery, highlighting the risks inherent in trusting third-party custodial bridge designs.
Beyond the direct victims, the broader cross-chain ecosystem experienced a chilling effect. Bridge protocols across the market saw reduced activity as users became more cautious about entrusting assets to interoperability solutions. The total DeFi TVL, which had begun recovering in January 2023 to approximately $74.6 billion according to DappRadar, remained under pressure from security concerns.
The Mitigation Strategy
Following the initial theft, the Lazarus Group employed sophisticated money laundering techniques to obscure the trail of stolen funds. The hackers programmatically structured transactions through Tornado Cash, a decentralized Ethereum-based mixer that had been sanctioned by the U.S. Treasury in August 2022. Elliptic researchers identified that the laundering methods mirrored those used in the Ronin Bridge hack, with the group sending over $555 million through Tornado Cash from various operations.
In January 2023, as the FBI confirmation was being prepared, on-chain analysts observed the Lazarus Group shifting tactics. With Tornado Cash under sanctions and increased scrutiny, the hackers began routing funds through Railgun, a privacy-focused DeFi protocol that functions similarly to a mixer. Elliptic’s research revealed that approximately 70% of all funds sent through Railgun at that time originated from the Harmony hack, making the mixing attempt largely ineffective due to the disproportionate volume.
The FBI’s announcement included the seizure of approximately $1.5 million through court-authorized actions. Major exchanges Binance and Huobi separately announced they had identified, blocked, and seized a portion of the laundered funds, demonstrating the critical role that compliant exchanges play in disrupting illicit financial flows.
Lessons Learned
The Harmony Horizon Bridge hack and the FBI’s subsequent confirmation underscore several critical lessons for the cryptocurrency industry. First, bridge centralization remains a fundamental security risk. Protocols that rely on small multisig validator sets create single points of failure that sophisticated attackers can exploit through social engineering. The industry must move toward truly decentralized validation mechanisms, potentially leveraging zero-knowledge proofs or other cryptographic techniques to eliminate trusted intermediaries.
Second, the Lazarus Group’s continued success demonstrates that state-sponsored cybercriminals represent a persistent and evolving threat. North Korea has generated billions of dollars through cryptocurrency theft, funding weapons programs and circumventing international sanctions. The group’s shift from Tornado Cash to Railgun illustrates their adaptability and the cat-and-mouse nature of blockchain surveillance.
Third, the incident highlights the importance of blockchain analytics and public-private cooperation. Elliptic’s attribution preceded the FBI’s official confirmation by months, and the exchange-level seizures demonstrate how on-chain intelligence can translate into concrete asset recovery.
User Action Required
For users of cross-chain bridges, several immediate actions can reduce exposure to similar attacks. Always research a bridge’s validation mechanism before entrusting it with significant assets — bridges with small multisig setups or concentrated validator sets carry higher risk. Consider using bridges that employ cryptographic verification rather than trusted validator approaches. Diversify across multiple bridges rather than concentrating assets in a single interoperability solution. Stay informed about security audits and any reported vulnerabilities for bridge protocols you use. Finally, minimize the time assets spend locked on bridges by completing transfers promptly rather than leaving large balances in bridge contracts.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
the lazarus playbook is so well documented at this point. social engineering -> compromised keys -> railgun mixer. every time
Railgun mixer being mentioned alongside Tornado Cash is telling. How long before privacy tools are completely regulated out of existence?
railgun is actually built differently from tornado cash though. it has on-chain compliance features. lumping them together misses the nuance
$100M stolen and the bridge had what, 2 multisig validators? crypto still hasnt learned the basics of security in depth
2 multisig validators for a $100M bridge is not even negligence, its negligence cosplay
two validators for a nine figure bridge. harmony security model was basically a gentlemen agreement. lazarus didnt even need to try hard
Lazarus must have an entire department dedicated to bridge exploits at this point. every few months another $100M and the playbook is identical
disagree, the playbook keeps working because bridge teams keep making the same mistakes. lazus isnt that sophisticated, the targets are just that weak
lazarus has a dedicated bridge exploitation workflow at this point. same social engineering entry, same multisig targeting, same cross-chain laundering through railgun. the playbook works because the architecture stays the same