The Federal Bureau of Investigation has officially confirmed that North Korea-backed hacking collective Lazarus Group, also tracked as APT38, was responsible for the devastating $100 million theft from Harmony’s Horizon Bridge in June 2022. The announcement, delivered after a six-month investigation involving the National Cryptocurrency Enforcement Team, the U.S. Attorney’s Offices of California, and the District of Columbia, marks one of the most significant public attributions of a crypto heist to a nation-state actor.
The Exploit Mechanics
The Horizon Bridge, a cross-chain protocol servicing the Harmony blockchain, was exploited on June 24, 2022, for approximately $99.7 million in digital assets. The attackers targeted the bridge’s multi-signature wallet, which controlled the flow of tokens between Harmony and other blockchains including Ethereum. According to blockchain analytics firm Elliptic, the bridge had been previously flagged as over-centralized, making it particularly susceptible to social engineering attacks — a well-documented tactic in the Lazarus Group’s playbook.
The hackers compromised two of the five multi-signature wallet holders, which was sufficient to authorize fraudulent transactions. The stolen assets included Ethereum (ETH), Tether (USDT), and USD Coin (USDC). With Bitcoin trading at approximately $22,934 and Ethereum at $1,628 at the time of the FBI’s announcement in January 2023, the stolen funds represented a significant haul for the North Korean regime.
Affected Systems
The Harmony Horizon Bridge attack followed a pattern eerily similar to the Ronin Bridge exploit in March 2022, where Lazarus Group stole over $540 million from the Axie Infinity-linked bridge. In both cases, the attackers exploited centralized elements of supposedly decentralized infrastructure. The cross-chain bridge sector, which facilitates token transfers between different blockchains, has proven to be one of the most vulnerable categories of decentralized finance (DeFi) protocols.
Following the initial theft, Lazarus Group systematically laundered the stolen funds through Tornado Cash, a decentralized Ethereum-based mixer that was subsequently sanctioned by the U.S. Treasury Department in August 2022. Elliptic researchers estimate that Lazarus Group sent more than $555 million through Tornado Cash, including approximately $96 million from the Harmony hack and over $468 million from the Ronin attack. This North Korea-linked activity accounted for roughly 5.8 percent of the nearly $9 billion in total funds processed through Tornado Cash.
The Mitigation Strategy
By January 2023, the Lazarus Group began shifting its laundering operations to Railgun, a privacy-focused DeFi protocol that functions similarly to a mixer. Elliptic had previously identified Railgun as a primary alternative for bad actors following the Tornado Cash sanctions. The FBI reported that the hackers used Railgun to convert approximately $60 million worth of ETH to Bitcoin, which investigators subsequently traced to 11 specific wallet addresses.
The FBI’s Cyber Division and Virtual Assets Unit led efforts to freeze a portion of the stolen funds, working in collaboration with virtual currency service providers. Law enforcement agencies emphasized that the stolen funds were being used to support North Korea’s ballistic missile and weapons of mass destruction programs, underscoring the national security implications of cryptocurrency theft.
Lessons Learned
Since 2017, North Korean hacking groups have stolen over $1.2 billion in virtual currencies, with South Korea’s National Intelligence Service attributing more than $600 million in thefts to state-sponsored cells in 2022 alone. The Harmony hack demonstrates several critical vulnerabilities in the DeFi ecosystem: over-reliance on centralized bridge mechanisms, insufficient multi-signature security thresholds, and the persistent challenge of tracing funds through privacy protocols.
The investigation also highlights the growing sophistication of public-private partnerships in blockchain forensics, with firms like Elliptic playing a crucial role in the attribution process. Their analysis of laundering patterns — matching the Harmony heist’s transaction structures to those used in the Ronin attack — provided the investigative thread that ultimately led to the FBI’s formal attribution.
User Action Required
For investors and DeFi users, the Harmony hack serves as a stark reminder to evaluate the security architecture of cross-chain bridges before entrusting them with assets. Protocols with centralized control mechanisms, low multi-signature thresholds, or unaudited smart contracts carry elevated risk. Users should consider limiting their exposure to bridge protocols, diversifying across multiple custody solutions, and staying informed about security audits and incident reports. With the total value locked in cross-chain bridges still representing billions of dollars, the sector remains a prime target for sophisticated attackers backed by nation-state resources.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with cryptocurrency platforms.
lazarus group is basically a crypto ATM at this point. Harmony, Ronin, Atomic Wallet, the laundering playbook is always the same. tornado cash then railgun then swap to BTC
frogpuppet the laundering pipeline is so well documented at this point that chainalysis probably has it as a flowchart. the problem is tracing to a nation state with zero extradition
six months to confirm what everyone on-chain already knew. the blockchain doesnt lie, investigators just move slow
to be fair, attribution takes time when theyre laundering through tornado cash and railgun
Elliptic flagged the centralization risk before the hack. Nobody listened. $100M later and suddenly everyone cares about multisig thresholds.
Elliptic flagged it, Certik audited it, everyone knew the centralization risk. but the team prioritized speed over security and retail paid the price
Elliptic also flagged Wormhole before that exploit. Analytics firms are basically Cassandra at this point.
Compromising 2 validators was enough to drain the entire bridge. That tells you everything about cross-chain security in 2022.
2 out of 5 multisig validators compromised. that means a 40% threshold was enough to drain 100M. should have been 4-of-5 minimum for that amount
bridge_auditor 2-of-5 for a 100M bridge was negligence plain and simple. the multisig threshold should scale with TVL
bridge_auditor 4-of-5 multisig would have prevented this entirely. but harmony wanted fast cross-chain transfers and 2-of-5 was the tradeoff. speed killed security
six months of investigation to confirm what on-chain analysts proved in 48 hours. blockchain evidence should be admissible faster in attribution cases
pool_watcher blockchain evidence being admissible faster would help but the bottleneck is connecting wallets to humans not proving transactions