Suspected North Korean hackers move $63.5 million in ether stolen from Horizon bridge

Quick Take

  • The hackers of the Horizon bridge moved 41,000 ETH ($63.5 million) over the weekend, on-chain analysts detected. 
  • The funds were routed to a privacy exchange called Railgun and moved to three centralized exchanges.
  • Binance froze $2.6 million of the stolen funds.

Over the weekend, on-chain analysts detected large movements from wallets tied to suspected North Korean hackers that stole about $100 million in crypto from Horizon in June last year. 

Horizon is a bridge that connects Ethereum to the Harmony blockchain. At the time, the money was laundered via Tornado Cash, a popular crypto mixer, and spread among many wallets. Blockchain forensic firms Elliptic and Chainalysis traced the Harmony hackers to Lazarus — a well-known North Korean hacking group associated with the country's regime. 

Over 200 days later, the hackers attempted to launder a large sum of portion of the stolen funds — yet again to evade getting caught. 

ZachXBT, a pseudonymous on-chain sleuth for cryptocurrency transactions, and security firm SlowMist were the first to detect suspicious activity involving wallets associated with the hackers.

The hackers transferred 41,000 ETH ($63.5 million) through over 350 different addresses in the past few days, said ZachXBT, who aggregated on-chain data and identified these suspicious transactions.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

On Jan. 13, hackers started moving these funds to Railgun, a privacy-focused exchange built directly on the Ethereum blockchain that acts as a mixer, making transactions hard to trace. Such protocols can often be infallible especially when there’s large amounts of funds moving through them in identifiable patterns or clusters of transactions.

ZachXBT found that after Railgun, the funds were consolidated into specific addresses, and moved to three exchanges: Huobi, Binance and OKX, likely in an attempt to convert the assets into fiat money.

At least one centralized exchange has frozen a portion of these assets. Binance CEO Changpeng Zhao said his team was able to seize 124 bitcoin ($2.6 million). The details of how much was transferred to each exchange and how much the hackers were able to successfully launder assets through them remain unclear, ZachXBT noted. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Tim Copeland at
[email protected]