Harmony Horizon Bridge

What happened

On 23 June 2022, attackers drained approximately $100 million in cryptocurrency from the Harmony Horizon bridge, a cross-chain bridge connecting the Harmony blockchain to Ethereum and BNB Chain. The theft was carried out by compromising two of the five private keys that collectively controlled bridge withdrawals, then using those keys to sign and execute large unauthorised transfers.

On 23 January 2023 the FBI publicly attributed the attack to the Lazarus Group, a threat actor operated by North Korea’s Reconnaissance General Bureau. The attribution placed the Horizon attack within a sustained DPRK-linked cryptocurrency theft campaign that includes the $625 million Ronin Network theft in March 2022, the Atomic Wallet theft in 2023, and multiple subsequent exchange and protocol incidents. US government agencies have assessed that funds stolen in these operations help finance North Korea’s ballistic missile and weapons of mass destruction programmes.

The stolen funds were laundered through Tornado Cash, an Ethereum-based cryptocurrency mixer. US Treasury’s Office of Foreign Assets Control sanctioned Tornado Cash in August 2022, in part citing its use in laundering proceeds from the Harmony breach. None of the $100 million was recovered.

How it worked

The Horizon bridge used a multisignature (multisig) wallet architecture: withdrawals from the bridge required cryptographic approval from at least two of five designated signers. This design was intended to eliminate single points of failure — no one person could unilaterally drain the bridge. In practice, the two-of-five threshold meant that compromising any two signers was sufficient to approve arbitrary withdrawals.

Lazarus Group’s method of compromising the signers has not been fully disclosed by Harmony or US law enforcement, but the established Lazarus playbook for this period is well-documented: targeted spear-phishing campaigns against identified employees, delivery of macOS and Windows malware via trojanised software or job-offer lures, and extraction of private keys from infected endpoints or cloud environments where key material was stored. The group had demonstrated the same methodology in the Ronin Network theft three months earlier, where they compromised five of nine validator keys through a similar targeted employee campaign.

The critical structural weakness was that the two-of-five signing threshold provided insufficient protection against a well-resourced nation-state adversary willing to invest significant effort into targeting individual employees. The signers’ keys were held in environments — likely individual workstations or cloud credential stores — that were not physically segregated or hardware-isolated from internet exposure. A threshold scheme achieves its theoretical security only if the individual signers are operationally independent and each is hardened to a standard commensurate with the value they protect.

Once the two keys were in Lazarus’s possession, the theft itself was mechanically straightforward. The attackers constructed valid withdrawal transactions, signed them with the two compromised keys, and submitted them to the bridge contract. The bridge’s code performed exactly as designed — it verified two valid signatures and released the funds. The vulnerability was not in the smart contract code; it was in the human and operational security practices surrounding the keys.

The subsequent laundering operation used Tornado Cash across hundreds of transactions over several days, cycling the stolen assets through the mixer to break the on-chain link between the theft addresses and the eventual destination wallets. Chainalysis and other blockchain analytics firms traced portions of the movement despite the mixing, which contributed to the FBI’s eventual attribution.

Timeline

• 23 June 2022, ~11:00 UTC — Eleven unauthorised transactions drain approximately $100M from the Harmony Horizon bridge. Funds removed include ETH, USDC, USDT, wrapped BTC, and other assets.
• 23 June 2022, afternoon — Harmony team detects the breach and halts the bridge. The team posts a public announcement and contacts law enforcement and major exchanges.
• 24 June – July 2022 — Stolen funds moved through Tornado Cash across multiple transactions. Major exchanges put attacker-linked addresses on watch lists.
• August 2022 — US Treasury sanctions Tornado Cash, citing its role in laundering Harmony breach proceeds alongside other illicit funds.
• January 2023 — FBI publicly attributes the attack to the Lazarus Group. US Department of Justice opens an investigation.
• Bridge reopens with a rebuilt multisig structure and new key holders, but Harmony’s on-chain activity remains significantly reduced compared to pre-incident levels.

What defenders should learn

The Harmony incident is the clearest available case study in multisig being misconfigured rather than correctly implemented. A two-of-five threshold means an attacker needs to compromise only two people. When those people are employees of the same organisation working in similar computing environments, subjected to the same targeting campaign, the “five” in the denominator provides less diversification than the headline number implies.

Multisig schemes protecting bridge assets at this scale should implement hardware security modules (HSMs) or purpose-built hardware signing devices for all key holders, with keys generated and stored in air-gapped environments. The signing threshold should be set with the question “how many employees could a sophisticated nation-state compromise in a single campaign?” as the primary design input, not “what is the minimum number that lets us operate conveniently?” For Lazarus-grade actors, the answer to the first question is probably more than two and possibly more than five.

Lazarus Group’s cryptocurrency targeting strategy in this period followed a consistent pattern: identify protocol employees via LinkedIn and social media, build a plausible lure (typically a job offer from a prestigious firm), deliver malware through document attachments or trojanised applications, and establish persistence to harvest credentials and key material. Teams at any protocol holding significant assets should treat unsolicited contact from recruiters, journalists, and potential partners as a potential Lazarus lure, require multi-party authorisation for any action that touches key material, and mandate hardware keys for all signing operations.

The broader lesson from the DPRK cryptocurrency campaign — of which Harmony is one incident among many — is that nation-state adversaries with strategic patience and specialist capability represent a qualitatively different threat class from opportunistic DeFi exploiters. A protocol that is adequately secured against typical financial attackers may still be inadequately secured against a state intelligence service with years of accumulated tooling specifically targeting crypto key material.