Harmony Horizon Bridge

The case of the Harmony Horizon Bridge exploit exemplifies the escalating threat of cryptocurrency-facilitated money laundering at a global scale. It highlights how sophisticated cybercriminal groups, like North Korea’s Lazarus Group, leverage advanced blockchain technologies—such as privacy mixers, decentralized exchanges, and cross-chain bridges—to obscure the origins and movement of illicitly obtained cryptocurrency assets. These tactics effectively exploit the pseudo-anonymous nature of cryptocurrencies, creating significant challenges for regulatory bodies and law enforcement agencies worldwide tasked with tracing and intercepting illegal financial flows. As this case shows, the evolving laundering techniques in crypto ecosystems not only undermine the integrity of financial systems but also necessitate enhanced international cooperation and technological innovation to counteract these complex schemes.

In June 2022, the Horizon Bridge run by the Harmony network suffered a sophisticated cyberattack exploiting compromised multisignature wallets, resulting in theft of over $100 million in various cryptocurrencies. The hackers, allegedly linked to the North Korean Lazarus Group, employed advanced crypto laundering techniques leveraging privacy mixers Tornado Cash and Railgun, decentralized exchanges like Uniswap, and cross-chain bridges to obfuscate the illicit funds’ origins and flow. Despite efforts by crypto exchanges and law enforcement to track and seize parts of the stolen assets, the laundering highlighted significant vulnerabilities in cryptocurrency infrastructures globally. This case exemplifies the challenges regulators and investigators face in addressing crypto-enabled money laundering on a global scale, given advanced privacy tech and cross-jurisdictional hurdles.

Countries Involved

Global, including the United States, North Korea, and cryptocurrency exchanges worldwide

Date Discovered / Reported

June 24, 2022

Cryptocurrency Involved

Ethereum (ETH), USDC, WBTC, Binance USD (BUSD), SUSHI, AAVE

Type of Crime

Cyber theft followed by illicit money laundering of stolen cryptocurrency assets exploiting privacy mixers and decentralized exchanges

Entities Involved

Harmony blockchain platform (victim), Lazarus Group (alleged North Korean hacking group), cryptocurrency mixers (Tornado Cash, Railgun), multiple crypto exchanges (Binance, Huobi, others)

PEP Involvement

No direct public evidence of PEP involvement in this case

Laundering Techniques Used

The stolen funds—over $100 million—were quickly routed through highly anonymizing cryptocurrency mixers, primarily Tornado Cash, which obscures the blockchain transaction trail and allows illicit funds to be “cleaned.” After this, the laundered funds were moved via a privacy protocol called Railgun, a privacy-enhancing layer designed to further anonymize assets, making tracing by authorities more difficult. The hackers also used decentralized exchanges such as Uniswap to convert Ethereum assets into various tokens, breaking up the transaction trail further. Subsequent cross-chain bridging through services like RenVM and Multichain dispersed the funds across multiple blockchains, obscuring the trail even more. Finally, a portion of the laundered assets was funneled into established crypto exchanges where some were identified and seized.

Estimated Value Laundered

Approximately $100 million stolen; around $60 million worth of Ethereum passed through Railgun; partial seizures of funds reported, but a significant portion remains unaccounted for.

Transaction Analysis Summary

The Lazarus Group exploited vulnerabilities in the multisignature wallets protecting the Horizon bridge, gaining control of enough private keys to initiate the theft. Post-theft, over 98% of stolen cryptoassets were layered through Tornado Cash, exploiting its mixing capabilities to hide origins. The laundering process aimed to exploit weak regulatory oversight of decentralized mixers and bridges. Elliptic’s blockchain forensic tools traced funds through Tornado and Railgun, highlighting key addresses and transaction patterns used in laundering. Chain hopping (switching assets between blockchains) was a primary tactic to confuse tracking efforts, involving Ethereum, Binance Smart Chain, and Bitcoin networks.

Regulatory/Enforcement Actions Taken

Binance, Huobi, and other exchanges reportedly collaborated to identify, block, and seize portions of the stolen funds, indicating proactive crypto exchange compliance efforts. The FBI and other international law enforcement agencies are actively investigating the Lazarus Group’s activities, issuing warnings to the crypto industry about North Korean threat actors exploiting privacy-enhancing technologies for laundering. Despite these actions, significant regulatory challenges remain due to jurisdictional issues, decentralized asset movement, and privacy tech complexities.

Links to Reports / Sources

Case Title / Operation Name:

Harmony Horizon Bridge Exploit

Country(s) Involved:

United States

Platform / Exchange Used:

Harmony Horizon Bridge, Tornado Cash, Railgun, Binance, Huobi, Uniswap

Cryptocurrency Involved:

Ethereum (ETH), USDC, WBTC, Binance USD (BUSD), SUSHI, AAVE

Volume Laundered (USD est.):

Approximately $100 million USD

Wallet Addresses / TxIDs :

Multiple wallets involved, specifically those linked to Tornado Cash and Railgun privacy mixers (exact TxIDs undisclosed)

Method of Laundering:

Use of 2-of-5 multisig private key compromise, crypto tumblers (Tornado Cash), privacy-enhancing protocols (Railgun), chain hopping, and decentralized exchanges conversion

Source of Funds:

Proceeds of cyber theft from exploited Horizon cross-chain bridge

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

N/A

Law Enforcement / Regulatory Action:

FBI and international coordination, crypto exchange cooperation for fund freezes, ongoing investigations, $10M reward offered by Harmony for info

Year of Occurrence:

2022

Ongoing Case:

Ongoing

AML Network Risk Rating:

🔴 High Risk