The recent $100 million cryptocurrency theft from Harmony, a US blockchain business that created the Horizon Bridge key (a service that connects two blockchains and allows users to transfer cryptocurrencies between different blockchains), is thought to have been carried out by North Korea’s state-sponsored Lazarus Group.
Although no one element alone can for sure point out Lazarus as the guilty party, they all together imply the group’s involvement. First, the cryptographic keys to Harmony’s multi-signature wallet, where the cryptocurrency was physically stored, were obtained by the hackers, most likely by social engineering assaults on the company’s project members. Such methods have been extensively used by The Lazarus Group in previous operations. A large portion of the core staff at Harmony have ties to the Asia-Pacific area, where The Lazarus Group also frequently focuses on targets.
Additionally, the automated use of the Tornado Cash mixer could also be interpreted as a sign of the group’s involvement. Tornado Cash is a mixer that has frequently been used to reroute illegitimate cryptocurrency funds, to disguise and conceal the flow of transactions by scrambling digital money from thousands of addresses. The group has likely been deposited cryptocurrency into the Tornado Cash through an automated process in the recent heist on the Ronin Bridge and several other attacks. Finally, the key factor that indicates the North Korean group involvement was their recent shift to concentrate on assaulting decentralized finance networks like blockchain bridges.
The Reconnaissance General Bureau, North Korea’s top intelligence organization, “runs” the Lazarus Group. Major assaults, such as the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attacks, have been attributed to the hacker organization. State-sponsored cryptocurrency theft has been pointed out as a key component of North Korea’s illegal financing schemes for its nuclear and missile programs. Hackers with ties to North Korea stole digital assets valued at close to $400 million last year, according to a report released in February by the blockchain analytics platform Chainanalysis. According to the company’s assessment on the yearly crypto crime ranking, the illegal revenues were the greatest share of North Korea’s GNP for 2021 at 10%.
There is often an uncomfortable tendency to see these attacks as something that takes place in isolation in a remote part of the Internet when, in reality, they have a huge impact on thousands of people. Digital assets have become deeply ingrained into our lives – cryptocurrency is now used by a far broader cross-section of the population (13% of Americans traded crypto in 2020), major companies now accept it as payment (such as Tesla), and nations have integrated cryptocurrencies into their economies. El Salvador famously became the first country to adopt Bitcoin as an official currency in 2021, but many countries are now looking to join the party. The UK, for example, recently announced its intention to become a “global hub” for the crypto industry, proposing even an NFT backed by the Royal Mint. President Biden’s Executive Order on Digital Assets, released in March, also acknowledged the growing role of cryptocurrencies in the US economy.
The risks of an industry that is so unregulated that rogue regimes can fund themselves through crime makes the whole industry look bad. Of course, attacks do happen & legacy financial institutions aren’t exempt, but regulations would hold digital financial institutions to a sufficient standard that losses would mitigated, like bank robbery or fraud in legacy finance. When these standards are not met, there are consequences put in place by the regulators. In other words, it is creating standards to protect customers. For instance, guaranteeing that crypto exchanges are liquid enough and plan to have an emergency fund, or insurance, to ensure customers are guaranteed a minimum level of reimbursement.
But a word of caution: the idea here is not overregulation. The ideal path would be moderate legislative suggestions to boost investment and protect consumers and investors. Regulation should not change the nature of blockchain, cryptocurrencies or DeFi – which are alternative routes to traditional financial institutions and therefore should retain different characteristics, including some degree of volatility and risk. Regulation should merely make them safer for their users.