Written by Ethan Brooke
Trouble on the Horizon.
It started small.
At 9:32 PM EST on June 23rd, 2022, an anonymous user moved 1 Ether, or approximately $1,143.46 USD, from the Horizon bridge to a crypto wallet. The 15,012,744th block on the chain had been solidified by the digital signature of two of the four specific wallets required to approve transactions.
And then it became big.
And very significant.
30 minutes and 48 seconds after the first transaction, $5,225,612.20 USD was withdrawn from the bridge. Within 1 minute and 58 seconds, a subsequent $4,458,350.54 USD was drained followed by another $8,092,266.42 USD. By the end of the plunder, $102,436,212.75 USD had been looted from the bridge by anonymous hackers.
The victim of the hack was Harmony but its bridge, Horizon, was the target. Harmony is a blockchain that rose in popularity due to its low gas fees and high transaction speeds. Part of Harmony’s core value add are the bridges it offers.
While incredibly useful, bridges are also extremely attractive targets for hackers. This is mainly because of their large stores of liquid cryptocurrencies, a trait required to allow users to exchange, or wrap, their coins and transfer them to use on different blockchains.
On-chain transactions require a signature from the enacting user’s wallet. Every wallet has a unique one. For security purposes, Horizon is secured by a multi-signature (multi-sig) wallet. This means that instead of requiring a signature from just one wallet to enable a transaction, signatures from multiple wallets are required before any on-chain transaction can be approved and made. Horizon’s multi-sig wallet is secured by four signatures as outlined in the code below.
seth call Ox715CdDa5e9Ad30A0cEd14940F9997EE611496De6 "required()"
seth call Ox715CdDa5e9Ad30A0cEd14940F9997EE611496De6 "owners(uint256)" 0
seth call Ox715CdDa5e9Ad30A0cEd14940F9997EE611496De6 "owners(uint256)" 1
seth call Ox715CdDa5e9Ad30A0cEd14940F9997EE611496De6 "owners(uint256)" 2
seth call Ox715CdDa5e9Ad30A0cEd14940F9997EE611496De6 "owners(uint256)" 3
In the case of the most recent hack, the raiders identified at least two of the private keys of the necessary wallets, allowing them to sign the illicit transactions. As explained by @_apedev on Twitter, any transaction can be executed on the Horizon bridge as soon as two of its four keys are compromised.
Approximately 11 hours after the theft had begun, Harmony alerted its Twitter followers to the breach of its Horizon bridge. Immediately after this, Harmony froze the bridge to prevent any further losses. Working with the FBI and engineers from around the world, including the US, Greece, India, and Cambodia, Harmony is investigating the hack.
Where there is smoke, there is fire.
On June 29th, 2022, blockchain analytics company Elliptic Connect released their report regarding the Horizon bridge hack. They also named who they believe are the perpetrators of the hack.
The Lazarus Group.
A familiar name for anyone following the world of cyber-hacking, the Lazarus Group (LG) is a North-Korean-run cyber-crime group. LG’s earliest-known attack, "Operation Troy", took place in 2009 with a series of attacks on South Korean government servers. The attacks were unsophisticated and used a basic distributed denial-of-service (DDoS) attack. A DDoS attack attempts to prevent users from accessing online servers by flooding the network with traffic. Since then, hackers from the unit dubbed by the North Korean government as the “414 Liaison Office” have dramatically increased the complexity of their hacks, evident through their May 2017 ransomware attack, WannaCry. WannaCry, a name based on the Microsoft-owned Wincry encryption software, encrypted a user’s files until they agreed to pay a ransom of $300 USD in Bitcoin to the group. The attack affected over 300,000 companies across 150 countries.
Since then, LG has turned many of its efforts to cryptocurrency-focused cybercrime and is currently believed to have stolen almost $2 billion USD in cryptocurrencies. Before their latest stunt with Horizon, LG made the news in May 2022 for their alleged stealing of $540 million USD of Ethereum from the Ronin network, another bridge that supports the popular play-to-earn game Axie Infinity.
A wolf in crypto clothing.
Since the Horizon bridge was secured by a multi-sig wallet, LG needed at least two of the four private keys required to authorize on-chain transactions. Based on this, the hack likely started with a social engineering hack. In a joint statement published on April 18, 2022, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and U.S Treasury warned about North-Korean hacking groups targeting blockchain companies. As described in the memo,
“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies… The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor.” - Cybersecurity and Infrastructure Security Agency (CISA)
The TraderTraitor apps are almost exclusively distributed via modern-looking websites that advertise the fake app’s features. One TraderTraitor identified by CISA is CryptAIS, a trading app that claims to leverage AI to build your cryptocurrency portfolio.
Once downloaded, the app is distributed as an Apple Disk Image and certified by a digital Apple-provided signature sourced from a compromised developer team. These legitimate distribution methods and signatures allow hackers to avoid setting off any security alarms. To use the app, users are required to register for an account by inputting an email address and password. Already, this data is covertly passed along to the command-and-control server the hacker is using to communicate with the breached network, decrypting the response and exposing the sensitive information.
But cracking the victim's email and password is just the tip of the iceberg.
Now installed on the victim’s computer, a seemingly mundane update code within the fake crypto software is run.
A function within the update code downloads and executes a malicious payload, installing a remote access tool (RAT) on the victim’s computer. A RAT enables a user to remotely control a system without leaving any traces. Once in place, the user can execute code, access files and passwords, log keys, and essentially use any part of the machine they want. Within TraderTraitor apps such as CryptAIS, a custom RAT known as Manuscrypt has been found, previously identified by CISA to be consistently used by the North Korean government. Once a victim installs a TraderTraitor app on their machine, hackers have carte blanche to a user’s entire digital life and can search for the private keys needed to access their crypto accounts.
Based on the links between LG and North Korea, and the North Korean government’s cyber-hacking mode of operation as outlined by CISA, it’s highly likely that LG used a TraderTraitor app. Using the fake apps, the group could have easily compromised at least two of the four keys from the multi-sig wallet needed to authorize a transaction on the Horizon bridge.
Hook, line, and mixer.
Hackers started the laundering process immediately after stealing the $100 million USD in cryptocurrencies from the bridge. They started with Uniswap, a decentralized cryptocurrency exchange.
At its most simple, this is how cryptocurrency laundering works:
- A hacker steals a sum of cryptocurrency.
- The stolen coins are moved to a wallet.
- The thief goes to a decentralized exchange and swaps all the stolen coins for new coins.
- The new coins are deposited at a legitimate crypto exchange and the thief cashes out for fiat.
The simplicity of this method creates problems for thieves as they are tracked by the unavoidable digital ledger that is the blockchain, actively recording every transaction from every wallet. To cover their tracks and fragment the trail of transactions stemming from the hack, launderers use a mixer.
For the Horizon hack, the thieves used Tornado Cash, a popular decentralized mixer. Using a mixer, cryptocurrency laundering becomes a lot harder to track:
- A hacker steals a sum of cryptocurrency.
- The stolen coins are sent to a Tornado Cash address on the blockchain, not a wallet.
- A Tornado Cash wallet sends back different, new, and clean coins.
- The new coins are deposited at a legitimate crypto exchange and the thief cashes out for fiat.
While crypto-laundering schemes have significantly developed in complexity, blockchain analytic companies have been hard at work to keep up. To investigate the Horizon bridge hack, Elliptic used their Investigator software, capable of demixing the coins and tracking the stolen funds to their new wallets.
Elliptic has also developed a software that identifies the stolen coins when someone attempts to use them, preventing the hackers from using the stolen funds at crypto business that use the service. So far, approximately $39 million USD, or 35,000 Ether, has been mixed through Tornado cash. As hackers continue to leverage the decentralized nature of mixers and their circumvention of law enforcement, the U.S government has started taking action, most recently with the sanctioning of Bitcoin-mixer Blender.io, a mixer used by LG in the past to launder other stolen cryptocurrencies.
While it can’t be proven with 100% certainty that LG is behind the hack, all signs point to the group being the culprit:
- The social engineering hack needed to acquire the private keys fits the earlier alarms sounded by the U.S government, within which LG is specifically named.
- LG has been accused of committing a series of other similar cryptocurrency heists, including blockchain and bridge hacks.
- LG has consistently employed the same money laundering methods for past cryptocurrency theft.
A bridge too far?
Harmony has been actively trying to recover the stolen funds. Initially, the company offered a $1 million USD bountyin exchange for the return of the stolen funds or sharing exploit information, with a promise to advocate against the pressing of criminal charges when the funds are returned. Since then, the company has expanded on its starting offer and communicated it with an encrypted message sent via the blockchain to the hacker’s wallet.
Apart from the $100 million USD loss in assets, Harmony’s token, $ONE, has crashed in value by 171.723% since the hack. At 10 PM EST on June 23rd, minutes before the hackers started to empty the bridge, $ONE was worth $0.2428 USD per token. At the time of writing, one token is worth $0.01848 USD.
In the past, companies have recovered from hacks by raising a new round of funding from venture firms. In April 2022, Sky Mavis, the parent company behind the popular play-to-earn video game Axie Infinity, had their bridge hacked for $625 million USD. In a venture round led by Binance, and supported by brand names like a16z and Paradigm, Sky Mavis raised $150 million USD to reimburse customers who were affected by the attack. In February 2022, $321 million USD was extracted from another bridge named Wormhole in the largest crypto heist to date. Venture capital firm Jump Crypto stepped in to bail the bridge out, replenishing 100% of the 120,000 Ether stolen. Harmony emerged as part of Binance Launchpad's initial exchange offering, potentially providing them with the relationship needed to succeed in pursuing the bailout route.
In a similar vein, crypto-exchange FTX has stepped in as a sort of lifeguard for failing crypto companies. The exchange headed by CEO Sam Bankman-Fried has been on an acquisition run, agreeing to buy crypto lender BlockFi in June 2022 for up to $240 million USD, in addition to providing a $400 million USD revolving credit facility. Bankman-Fried quickly followed this up in July 2022 with a $500 million USD commitment to crypto brokerage Voyager Digital, made up of a $200 million USD credit facility and a 15,000 Bitcoin revolving credit facility, worth around $300 million USD. It’s unclear how the recent hack will affect decisions to invest in the company. However, it’s worth noting that both companies acquired by Bankman-Fried have faced cyberattacks. BlockFi had customer data hacked as recently as March 2022 and Voyager Digital was attacked in December 2021 but managed to defend itself in time, avoiding any data or financial breaches.
It’s unclear what Harmony’s fate will be. Much of it depends on how confident consumers are in the company. If their token price ($ONE) stays at such low levels, Harmony may struggle to incentivize users to hold and stake their coin. This would make it more expensive to make transactions on their blockchain. If their investigative team fails to recover the stolen funds, or they do not find a way to recoup their losses, their bridges could lose their edge. If they fail to prove that they have sufficiently upgraded their security, they may not regain the trust of their customers. Worse, they could be hacked again. These “if’s” could lead to a future where Harmony experiences a drop in users, revenue, and general faith in their ecosystem. That would put the blockchain company under immense financial pressure at a time when tech and crypto markets are already struggling. To prevent this potential future, the company has emphasized communication with its community, publishing weekly Q&A’s hosted by CEO Stephen Tse, and is developing strategies to help those affected by the incident recover.
The road to crypto redemption.
Hacks of this form are a painful reminder of the infancy of DeFi and crypto as a whole. They outline the most vulnerable cogs of the system and show how easily they can be exploited, invariably souring some consumer sentiment towards blockchain technology. However, they also tell founders exactly where to focus their building efforts. The breach of Harmony’s Horizon bridge demonstrated major flaws that exist in the world of crypto. Still, the company has proven the immense potential decentralized finance has in disrupting the way we think of currency and engage with money.