Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 096Bridge Exploit

Harmony Horizon Bridge

Lazarus compromised two of five operator multi-sig keys on Harmony's cross-chain bridge and drained $100M; the 2-of-5 quorum was below its risk profile.

Date
Victim
Harmony
Chain(s)
EthereumHarmony
Status
Funds Stolen
Attribution
Lazarus Group / APT38 (DPRK)

On June 24, 2022, attackers drained roughly $99.7 million in ETH, BNB, USDC, USDT and DAI from Horizon, the cross-chain bridge connecting Harmony to Ethereum and Binance Chain. The FBI later publicly attributed the operation to North Korea's Lazarus Group / APT38.

What happened

The Horizon bridge was secured by a 2-of-5 multi-signature scheme — only two operator signatures were required to authorise withdrawals from the bridge contracts on Ethereum and Binance Chain. For a bridge holding hundreds of millions in TVL, a 2-of-5 threshold was widely considered far too low even at the time.

The attacker obtained at least two of the five signing keys. The compromise vector was social engineering aimed at the operators themselves — TTPs that closely match later Radiant Capital and DMM Bitcoin operations attributed to the same group.

With two keys in hand, the attacker issued valid withdrawal authorisations and drained the bridge's reserves on Ethereum.

Aftermath

  • Harmony paused the bridge within hours.
  • Binance and Huobi identified and froze approximately $2.5M (124 BTC) of stolen funds as they passed through their addresses.
  • The Harmony Foundation announced a compensation plan funded by new HRM token issuance — controversial among the community, partially implemented.
  • The attacker laundered the bulk of the stolen funds through Tornado Cash and, in January 2023, used RAILGUN (a then-newer privacy protocol) to launder a further $60M+ worth of ETH.

Why it matters

Harmony was one of three major bridge multi-sig compromises in a single year — alongside Ronin ($625M) and BNB Bridge ($586M). The pattern made clear that N-of-M multi-sig bridges with small operator sets are not a defensible long-term security model. By the end of 2022 most major bridge designs had either increased their quorum substantially, moved to attestation committees with explicit slashing, or replaced human-key signing with on-chain proof systems entirely.

Sources & on-chain evidence

  1. [01]fbi.govhttps://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft
  2. [02]elliptic.cohttps://www.elliptic.co/blog/analysis/fbi-confirms-north-korea-s-lazarus-group-as-hackers-behind-100-million-harmony-horizon-bridge-theft
  3. [03]thedefiant.iohttps://thedefiant.io/news/hacks/harmony-hack-lazarus

Related filings