According to an on-chain analysis by ZachXBT, the North Korean hacker group Lazarus suddenly moved as much as 41,000 Ethers (ETH) to Railgun before transferring them to various exchanges. According to Changpeng Zhao, some of the funds were intercepted in the form of Bitcoin (BTC) thanks to a collaboration between Binance and Huobi. OKX has also frozen an account involved in the matter.
Lazarus moves $63 million in Ether
Almost 6 months after the attack on the Harmony blockchain bridge, hackers have suddenly moved 41,000 Ethers (ETH) from the hack, amounting to no less than $63.5 million in movement.
According to Elliptic, the on-chain analysis company, the attack was the work of Lazarus, the notorious North Korean hacker group also responsible for the colossal $624 million Ronin bridge hack, the largest hack to date in the decentralised finance ecosystem (DeFi).
The movement of the stolen ETHs was first reported by ZachXBT, a well-known investigator in the cryptocurrency ecosystem, who otherwise compiled over 350 addresses linked to the Harmony bridge hack.
1/2 North Korea’s Lazarus Group had a very busy weekend moving $63.5m (~41000 ETH) from the Harmony bridge hack through Railgun before consolidating funds and depositing on three different exchanges. pic.twitter.com/huDumaJeSh
– ZachXBT (@zachxbt) January 15, 2023
As he notes here, the Lazarus group would have routed the funds through Railgun (a decentralised application that anonymises transactions via its smart contracts) before sending them to the Binance, Huobi and OKX exchanges. The 350 addresses identified by ZachXBT were all used to move the funds in different ways in order to spread the evidence.
Funds partly intercepted by exchanges
According to Changpeng Zhao, CEO of Binance, some of the funds involved were intercepted:
We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered. CeFi helping to keep DeFi SAFU!
– CZ Binance (@cz_binance) January 16, 2023
” We have detected a movement of funds from the Harmony One hacker. He had already tried to launder his funds through Binance and we had frozen his accounts. This time he used Huobi. We helped the Huobi team freeze his accounts. Together, 124 BTC were recovered. CeFi helps keep DeFi SAFU “
CZ’s tweet suggests that the Lazarus hackers exchanged at least some of the funds for Bitcoin (BTC). This is 124 BTC that were intercepted thanks to a joint effort between Binance’s security teams and those of the Huobi exchange, which represents approximately $2.4 million at the current market price.
Responding to the tweet, Changpeng Zhao was asked whether exchanges communicate with each other in such situations, to which he replied that “most” exchanges were happy to cooperate, but that “not all exchanges” were willing to do so.
For its part, OKX claims to have frozen the account concerned on its own exchange at the request of the authorities:
OKX is aware of the incident involving a suspicious transfer from the Lazarus group. The company acted quickly and immediately froze the account after receiving a request from law enforcement to do so. The assets of the account are currently frozen. “
In any case, the rest of the funds from the Harmony bridge hack should probably be moved soon, given the speed at which they can be frozen.
