Harmony’s Horizon Bridge Exploit: A Crypto Money Laundering Case Study

On June 23, 2022, Harmony’s Horizon bridge encountered a security breach which has sent shockwaves through the cryptocurrency community. In this article, we look closer at the Horizon bridge, the amount of funds stolen, the exploit details, the fate of the stolen funds so far and the methods used to move and launder the funds across chains until this point.

What is Harmony’s Horizon Bridge?

The Horizon bridge is a cross-chain feature developed by Harmony to facilitate the transfer of assets between Harmony’s network and other blockchains such as Ethereum, Binance Chain and Bitcoin. The bridge aims to provide users with the benefits of both the layer-1 network’s security and the layer-2 network’s efficiency.

By dividing its blockchain into four parallel networks called shards, Harmony reduces latency and improves overall efficiency. The Horizon bridge is an essential component of this innovative solution, enabling users to move assets across chains without compromising security or decentralization.

The Exploit

On the day of the exploit, the attackers compromised two of the five multi-signature (multisig) addresses securing the bridge. The multisig wallet required just two signatures to initiate transactions, which potentially made it more vulnerable to attacks. The exact attack vector remains unknown, although some speculate that the private keys of the compromised addresses were stored as plaintext in hot wallets. 

According to Harmony’s incident response team, the private keys had been stored and encrypted by Harmony, using both a passphrase and a key management service for double encryption. Additionally, no single machine had access to multiple unencrypted keys. However, the attacker managed to access and decrypt several of these keys, allowing them to gain access to the servers running these hot wallets to control the necessary addresses to pass any desired transactions.

How Much Was Stolen?

The hackers stole a total of about US$103.7 million worth of Ethereum and multiple tokens in 12 transactions. The scale of this theft highlights the potential risks associated with securing digital assets on blockchain platforms and serves as a reminder of the importance of robust security measures.

The below table summarizes the types of tokens that were stolen along with their value in USD on the day of the theft.The stolen funds on the BNB chain are currently unspent on 0x0d043128146654C7683Fbf30ac98D7B2285DeD00. The table below is a summary of the tokens stolen.

Transaction Analysis of the Stolen Funds

After successfully compromising private keys and stealing funds on the Ethereum side of the Horizon bridge, the attackers proceeded to execute a well-orchestrated exploit scenario. Here is a breakdown of the steps they took

QLUETM graph: visualizing the movement of stolen assets from harmony’s horizon bridge to the exploiter’s main address on Ethereum and their swap for ETH, split and deposit into new addresses before landing into Tornado Cash

The attackers first consolidated the stolen funds into a primary consolidation address (0x0d0431..ded00). They then split the ERC-20 tokens and sent them to 2 new addresses, which converted these amounts to Ethereum. The attackers then sent 72,770.4 Ethereum back to the Exploiter’s main address from these 2 new addresses.

Next, the attackers sent the Ethereum to 5 new addresses in 5 transactions between June 27 and July 1, 2022. The summary of these transactions is as follows.

The table with ID 4 not exists.

Between June 27 and July 1, 2022, the attackers split 85,851 ETH into 14 addresses through 14 separate transactions. Here is a summary of these transactions.

The table with ID 5 not exists.

Following the splitting of 85,851 ETH into 14 addresses, the attackers proceeded to send 85,700 ETH from these addresses to Tornado Cash in a series of 857 transactions spanning from June 27th to July 2nd, 2022. Below is a summary of these deposit transactions.

View all the transactions that the attackers sent to Tornado Cash here.

What is Tornado Cash?

Tornado Cash is a non-custodial, decentralized privacy solution built on the Ethereum blockchain using zero-knowledge proofs. The protocol enables users to break the links between deposit and withdrawal addresses, thereby enhancing transaction privacy in the Ethereum ecosystem. It operates as a mixer, allowing users to deposit funds and later withdraw them to different addresses, making it more difficult to track transactions.

How does Tornado Cash work?

Tornado Cash utilizes zkSNARKs proofs, a cryptographic technique that allows one party to prove they have knowledge of specific information without revealing the information itself. When a user deposits crypto into the Tornado Cash protocol, a secret hash is created. This hash is then used as a commitment to identify the owner of the funds and confirm their ownership during the withdrawal process. The user inputs the secret hash when withdrawing funds, proving their ownership while maintaining on-chain anonymity.

Anonymity mining is another unique feature of Tornado Cash. Users who provide liquidity to the protocol are rewarded with Anonymity Points, which can be deposited into shielded accounts and converted into TORN tokens – the native currency of Tornado Cash. This process helps maintain privacy even during the rewarding process.

What Happened to the Money after It Was Sent to Tornado Cash?

The use of Tornado Cash allowed the attackers to further obfuscate the trail of stolen funds. By using this service, the hackers aimed to make it more difficult to trace the stolen assets and potentially identify the perpetrators.

The amount sent to Tornado Cash was withdrawn to 143 addresses in a total of 857 transactions totaling 84,663.39 ETH. All 143 addresses received multiple transactions with the lowest being 2 and the highest being 10. Notably, all these addresses were newly created addresses with their first incoming transactions being from Tornado Cash. The withdrawals started on June 27 and continued until July 3, 2022. Here is a summary of the withdrawals.

Chart: Harmony’s stolen funds’ deposits into and withdrawals from Tornado Cash

View all the withdrawal transactions from Tornado Cash here.

The Laundering of Stolen Funds and Association with the Lazarus Group

On Jan 13th, 2023, after remaining unspent for 7 months, the funds began moving out from these addresses in 4 batches. Shortly after, on January 23rd, the FBI announced that it had concluded that the North Korean hacker organization Lazarus Group was responsible for the Horizon bridge exploit.

What is the Lazarus Group?

Also known as Hidden Cobra or APT38, it is a notorious cyber-espionage and cybercrime group believed to be associated with North Korea. The group has been active since at least 2009 and has been linked to a series of high-profile cyberattacks against various targets, including governments, financial institutions, and corporations worldwide.

Based on an AP News report, North Korean hackers, including those associated with the Lazarus Group, have stolen an estimated $1.2 billion in cryptocurrency and other virtual assets in the past five years. More than half of this amount was stolen in the year the report was published alone.

Experts and officials believe that North Korea has turned to crypto hacking and other illicit cyber activities as a means to obtain foreign currency to support its struggling economy and fund its nuclear program. This shift occurred following the imposition of harsh U.N. sanctions and the impact of the COVID-19 pandemic on the country.

Some of the most well-known attacks attributed to the Lazarus Group include:

      1. The 2014 Sony Pictures hack, which led to the theft and leaking of sensitive information, unreleased movies, and employee data.
      2. The 2016 Bangladesh Bank heist, where the group attempted to steal nearly $1 billion from the Central Bank of Bangladesh, successfully transferring $81 million before the operation was halted.
      3. The 2017 WannaCry ransomware attack, which affected more than 200,000 computers in 150 countries, causing widespread disruption, particularly in the healthcare sector.
      4. The 2022 Axie Infinity $615m crypto heist.

    The Lazarus Group has been known to use various sophisticated techniques, including spear-phishing campaigns, custom malware, and zero-day vulnerabilities, to infiltrate target systems and exfiltrate sensitive data or disrupt operations. The group is thought to be financially motivated and may also engage in operations to further North Korea’s strategic interests.

    Batch 1 (11-14, Jan, 2023)

    70 of the 143 Tornado Cash withdrawal addresses sent 41,795.62 ETH to 70 new intermediary addresses in 75 transactions between Jan 11 and Jan 14. Following this, these intermediary addresses withdrew 41,792.49 ETH to Railgun.


    Chart: the percentage of transactions coming into Railgun from Lazarus group vs other sources between January 11th to 14th, 2023

    The table with ID 6 not exists.

    Our analysis in the chart and table above shows that 99.9% of all deposits into Railgun between Jan 11 and Jan 14 were proceeds of the Harmony bridge exploit.

    What is RAILGUN?

    RAILGUN is a system that uses advanced technology called zero-knowledge proof (zk-SNARKs) to hide your wallet addresses from public view during transactions. By using RAILGUN, your financial activities remain private while you trade, invest, or use decentralized applications (dApps). RAILGUN works with many popular digital tokens and is available on Ethereum and other blockchains.

    RAILGUN stands out because it works directly on Ethereum’s main network, unlike some other solutions that need extra steps and can be less secure. This makes RAILGUN safer and easier to use.

    Compared to mixers, RAILGUN is more user-friendly and offers better privacy features. While mixers have limitations, RAILGUN lets you keep your wallet balances private even when you’re not making any transactions.

    Between Jan 13 and 14, the perpetrator withdrew 41,711.46 ETH from Railgun into 27 new addresses.

    The table with ID 7 not exists.

    The funds withdrawn from Railgun were sent to several intermediary addresses over multiple hops and eventually 25,500.2 ETH were sent to the customer deposit addresses of 3 major exchanges, namely Binance, Huobi and OKX,  between the 13th and 14th of January.

    Chart: the laundering of batch 1 withdrawals through major exchanges

    The table with ID 8 not exists.

    The majority of the funds in the exchanges were converted and withdrawn on BTC blockchain. We were able to track the following withdrawals from 2 of the 3 exchanges on the Bitcoin blockchain.
    The table with ID 9 not exists.

    The remaining 16,211 ETH was laundered through multiple new addresses in multiple hops between Feb 3 and Feb 15. The funds were mixed with funds from Batch 4 and eventually sent to unidentified services.

    Batch 2 (Jan 28, 2023)

    30 other addresses out of the 143 addresses that had withdrawn funds from Tornado Cash then sent  17,277.95 ETH  to 3 contracts in 117 transactions on 28th Jan. 

    (*0.1 ETH was also sent from an address which is also a contract creator of one of these contracts. Thus, adding 0.1 ETH to the overall input value) 

    The table with ID 10 not exists.

    A total of 17,277.9 ETH ($31,805,510.52) from the 3 contracts was sent to 3 new contracts, which then sent 17,277.9 ETH ($27,198,401.99) to 24 new addresses. These 24 addresses, using multiple hops and intermediary addresses, subsequently sent 17,276.68 ETH to the customer deposit addresses of 6 major exchanges.

    Chart: the laundering of batch 2 withdrawals through major exchanges

    The table with ID 11 not exists.

    The majority of these funds were also converted and withdrawn from the exchanges to the Bitcoin blockchain. We were able to track the Bitcoin withdrawals for 5 out of the 6 exchanges as follows.

    The table with ID 12 not exists.

    Batch 3 (Feb 7, 2023) 

    On Feb 7, 2023, 30 more addresses out of 143 addresses that withdrew funds from Tornado Cash sent 17922.87 ETH to 10 contracts in 72 transactions. Below is a summary of the transactions.

    The table with ID 13 not exists.

    A total of 17,922.87396 ETH from the first 10 contracts was wrapped and sent to 10 new contracts in 72 transactions. This second set of contracts subsequently sent 17,922.87396 WETH to 10 new contracts in another 72 transactions, which was then unwrapped. Finally, this last set of 10 contracts sent the 17,922.87396 ETH to deposit addresses belonging to 4 major exchanges.

    Chart: the laundering of batch 3 withdrawals through major exchanges

    The table with ID 14 not exists.

    Once again, the majority of these funds were converted and withdrawn from the exchanges onto the BTC blockchain. We were able to track the Bitcoin withdrawals for all the exchanges as below.

    The table with ID 15 not exists.

    Batch 4 (Feb 14, 2023)

    11 addresses that withdrew funds from tornado cash sent them to a contract on Feb 14, 2023, as seen in table:

    The table with ID 16 not exists.

    The remaining 2 addresses, 0xda1145776eb9ba6028da12528b35bf6f466c9eff and 0x0178fa9b9a0075a4867588ddcd6ec6e6f4826df4, sent the funds to the UniSwapDai contract at 0xe592427a0aece92de3edee1f18e0157c05861564. These addresses then converted a total of 1,095.13 ETH to 613,568.6902 DAI. Later that same day, the DAI was converted to 1,052.62 wETH, and these funds were then also sent to contract (0x99d80cc3fa292461e3b82c41f3d348bc2cd856a1).

    .

    Chart: the laundering of batch 4 withdrawals through major exchanges

    The table with ID 17 not exists.

    The remaining 5,513 ETH were sent to Intermediary addresses where they combined with funds from Batch 1 and in several hops were sent to Unidentified services.

    The funds sent to Exchanges could not be tracked. We suspect that a lot of these funds were likely frozen. According to articles that came out around the same time, $1.4 million was frozen by Binance and Huobi.

    The Contracts Used by Lazarus Group

    The following is a summary of the contracts used by the Lazarus group to launder funds in Batch 1, 2, 3  and 4, including addresses that created those contracts.

    The table with ID 18 not exists.

    The following 6 addresses created all of the 51 contracts used to launder funds.

        1. 0xdbDF3609A651BCE01b81f65b556090876d44Ed82
        2. 0x69167eb2e7c6adf9fec425c4383afac961459e98
        3. 0xb0951f6e4f6453f2e7c110ee963589132ffc8195
        4. 0xa0689dce51ac5da88c28455f0b40c07c913a5c13
        5. 0x1a61384c5e3bfbbbace6486e3a9c3e426ec47d07
        6. 0x39dfcbfb119dfdfaf194b79b47dbb7c9a75143e4

      Laundering of Funds on BTC:

      We observed that funds were sent to exchanges on Ethereum were then withdrawn to the Bitcoin blockchain. After several hops, the funds were sent to the Avalanche blockchain using the Avalanche Bridge protocol. The Avalanche Bridge protocol is used to transfer BTC from Bitcoin to the Avalanche C-Chain and vice versa. In most cases, the funds from Avalanche were then sent back to Bitcoin using the same Avalanche bridge. This process was repeated several times during the course of our investigation.

      Graph: visualizing an example of the cryptocurrency laundering process in batches 3 and 4

      The graph above is an example of the laundering process, where part of the funds sent to exchanges in batches 3 and 4 was withdrawn on Bitcoin and sent to Avalanche in multiple hops through intermediary addresses. Afterward, these funds were returned to the BTC blockchain and sent, after another series of hops, partially to exchanges with the bulk going back to Avalanche. Some of the funds were also sent cross-chain to Ethereum and Tron. During the course of these transactions, we noticed instances of the possible use of privacy tools, including mixers.

      Response from Virtual Asset Service Providers

      According to a tweet from the CEO of Binance, security teams at Binance and Huobi worked together to prevent further losses from hackers. They were able to freeze and recover 124 Bitcoin (BTC), equivalent to $2.5 million, from the hackers. In addition to this, they also froze $1.4 million worth of crypto.

      Furthermore, we discovered that two addresses with a combined stolen amount of 1,169,348.4 USDC were blacklisted by Circle on Feb 3. These blacklisted addresses were involved in several transactions that Circle deemed suspicious. The following are the details of the blacklisted addresses and the transactions in which these were blacklisted by Circle:

          • Address 1: 0x7F2863dc306fe5be920d311f5EEEF842BaE16ce8 

          • Blacklist Transaction: 0x902c156e19ccb6a0044e1d58fcead36fe1bd2c39ea94f75502b04484cfcc665a

          • Amount Blacklisted: 1,108,586 USDC

            • Address 2: 0xF8A9aB377ce63592583767B34602E130E38eBDca

            • Blacklist Transaction: 0xda1a970f9a1fa16dd868b931c242a3608783c6741cd882c69ee53c24c70f04c8

            • Amount Blacklisted: 60,093 USDC 


          Graph: the stolen funds from the Harmony bridge exploit, transferred across different blockchains and eventually blacklisted

          The graph shows the Funds stolen from the Harmony bridge exploit that were laundered and sent cross-chain from BTC to Avalanche and then converted from BTC.b token to USDC and then bridged over to the Ethereum blockchain. The USDC on Ethereum in multiple hops ended up on two addresses which were then blacklisted as shown on the graph.

          Conclusion

          The recent press release by the FBI, identifying addresses belonging to the Lazarus group used to launder proceeds of the Harmony bridge exploit, aligns with the findings of this investigation. 

          The investigation into the Harmony bridge exploit reveals the complex and sophisticated nature of laundering cryptocurrency crime proceeds. Significant amounts remain unspent on Ethereum and BNB Chain. The use of mixers and privacy services, thousands of intermediary addresses, and newly created contracts on Ethereum all played a role in obfuscating the trail of funds. Major exchanges were used as an off-ramp and for cross-chain transfers, while the Avalanche bridge was repeatedly utilized to further mask the movement of funds, i.e. through swaps of BTC to AVAX and AVAX to BTC, ETH and Tron.

          This investigation is still ongoing, as funds continue to move, and it highlights the need for continued efforts to combat cryptocurrency laundering and related criminal activities. 

          Request a demo today to see how QLUETM can fuel your investigation and investigate complex crypto money laundering schemes.

          Written By: Omar Marzouk
          Writer, Content marketing at Blockchain Intelligence Group


          • Solutions
          • Training
          • Resources
          • Support