Harmony Horizon Exploit Linked to North Korea, $10M Bounty Offered

The blockchain's develops now have a "global manhunt" to track down the attackers.

AccessTimeIconJun 30, 2022 at 10:15 a.m. UTC
Updated May 11, 2023 at 6:42 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Harmony developers said Thursday they had started a “global manhunt” to catch the culprits behind last week’s $100 million exploit of its Horizon bridge, according to a Thursday update.

The exploited "Horizon" bridge allowed users to exchange assets such as tokens, stablecoins and non-fungible tokens (NFTs), among the Ethereum, Binance Smart Chain and Harmony blockchains.

A bounty offered to individuals who could provide information about the attacker to Harmony was increased to $10 million from the previous $1 million. The ETH address to return the funds is 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony team has also offered “one final opportunity” for the attackers to return the assets with anonymity: “The final term is they retain $10 million and return the remaining amount, in addition to the team ceasing the investigation.”

Meanwhile, security firm Elliptic linked the attack to North Korean hacker group Lazarus in a release Wednesday.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft,” Elliptic researchers said. “Based on the nature of the hack and the subsequent laundering of the stolen funds.”

Elliptic noted that the movement of stolen funds occurred mostly during Asia-Pacific nighttime hours and that the attack used techniques that were “frequently used” by the Lazarus Group.

Lazarus is believed to have stolen over $2 billion in crypto assets from exchanges and decentralized finance (DeFi) platforms, Elliptic said. It added that the Horizon Bridge hacker has so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer.

Earlier this week, the attackers transferred over 36,000 ether, worth $44 million at the time, to Tornado Cash over several transactions, as reported.

The attacker’s main wallet – tagged as “Horizon Bridge Exploiter” on blockchain tracing service Etherscan – continues to hold over 33,000 stolen ethers, blockchain data shows.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.