Analyst Prompt #12: Harmony Blockchain Confirms Approximately US$100 Million Compromised and Stolen


Exploit tools and targets: Harmony confirms blockchain compromise and theft of approximately US$100 million

On June 23, 2022, Harmony was notified of an attack on its proprietary Horizon Ethereum bridge. Eleven transactions mined tokens stored in the bridge with an estimated value of around US$100 million at the time of the attack. [1]

Harmony’s public disclosure suggests that the attacker or attackers may have compromised two of the five private keys needed to sign transactions. A standard cryptocurrency wallet relies on a public address to receive digital assets and a private key to authorize transactions. A multi-signature wallet (short multisig) requires two or more private keys for authorization; therefore, multiple parties share control.

DevOps Connect: DevSecOps @ RSAC 2022

Harmony believes that “the attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH, and WBTC.” The attacker then transferred assets to the Ethereum network.

On June 27, the attacker began anonymizing the ownership of these assets by transferring funds through Tornado Cash, a crypto-mixing platform that improves transaction privacy by breaking the chain link between source and debit addresses. destination.

Harmony is working with cybersecurity partners, exchange partners, and the FBI to investigate the breach and recover stolen assets. The company offered a $1 million reward for returning funds from the Horizon Bridge or sharing information about the exploit. [2]. On June 29, the company increased the reward to $10 million with a deadline of July 4 at 23:00 GMT. He also announced a $10 million reward for offering information leading to the return of stolen funds.

Harmony updated its co-signing process to now require four out of five keys. EclecticIQ analysts point out that the root cause of the private key compromise is unknown. Therefore, increasing the number of keys required to sign transactions may have limited value, if there is a common point of failure among all of them.

Threat Actors: Denial of Service Attacks by Pro-Russian Group KILLNET Temporarily Disrupts Lithuanian Internet Services

The Lithuanian National Cyber ​​Security Center (NKSC) warned on (insert date) of an ongoing Distributed Denial of Service (DDoS) attack against the National Secure Data Transfer Network, other government institutions and companies private from Lithuania. [3]

The pro-Russian group KILLNET said the attacks were in retaliation for Lithuania’s banning of EU-sanctioned goods from Russia through its territory to the Russian enclave of Kaliningrad. [4] The ban went into effect on June 18.

In its response, Russia called the ban an “unprecedented” and “hostile” act. Russian Foreign Minister Nikolai Patrushev issued a statement on Tuesday June 21 stating that “if in the near future the transit of cargo between the Kaliningrad region and the rest of the territory of the Russian Federation via Lithuania is not not fully recovered, Russia reserves the right to take action to protect its national interests. [5], [6] On June 20, in its Telegram group, KILLNET called for support “in the destruction of Lithuania’s network infrastructure”. In the following days, the group published several screenshots of Lithuanian services in the energy, finance and transport sectors that were taken offline. European and Russian diplomats appear to be closing in on a compromise that would exempt Kaliningrad from sanctions. [7] As of June 29, the group has not issued any informational messages about Lithuanian targets and appears to have ceased its attacks. In an update at the end of June, NKSC announced that the services of the National Secure Data Transfer Network have been restored. Analysts believe that KILLNET has the capabilities to successfully conduct DDoS attacks or website takedowns and temporarily disrupt targeted activities. As seen with recent cases in Lithuania, or attacks on Poles [8] and Italian [9] organizations, the group can quickly pool its resources and perform in accordance with the goals of the Russian state. Analysts have no evidence that the group uses or develops custom tools, but likely works with off-the-shelf products.

Malware: Samurai Backdoor and Ninja Trojan Deployed in Attacks on Government and Military Organizations in Southeast Asia and Europe

According to an online article dated (insert date), security researchers from Kaspersky’s Global Research and Analysis Team (GReAT) have identified two previously unknown pieces of malware called Samurai backdoor and Trojan Ninjas. [10]

Between December 2020 and February 2021, an APT – dubbed ToddyCat – exclusively targeted Microsoft Exchange servers in Taiwan and Vietnam. Leveraging an unknown exploit, the actor deployed the China Chopper web shell. The intrusion shared by GReAT resembles a cluster of activities (dubbed Websiic) reported by ESET in March 2021. Since February 26, 2021, ToddyCat has exploited the ProxyLogon vulnerability to compromise organizations in Europe and Asia.

In both waves, the attacker deployed a previously unknown modular backdoor called Samurai. Samurai is written in C# and is heavily obfuscated to hinder reverse engineering. The backdoor acts as a listener for incoming requests from an attacker-controlled system.

In specific cases, Samurai also dropped another malware, Ninja. GReaAT believes that Ninja is “a collaborative tool allowing multiple operators to work simultaneously on the same machine”. The Trojan a host of commands to infiltrate and control remote systems and evade detection.

GReAT reports that the actor has been exploiting an unknown Microsoft Exchange server vulnerability since at least December 2020. EclecticIQ analysts speculate that the actor had exploited a 0-day vulnerability, which in March 2021 would be publicly disclosed as the ProxyLogon name.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technologies and services. Based in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the United States with decades of experience in cybersecurity and intelligence in industry and government.

We would like to hear from you. Please send us your comments by writing to us at [email protected] Where Fill the EclecticIQ Audience Interest Survey to direct our research towards your priority area.

Structured data

Find the analyst prompt and past editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery Services:

You can also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page to find out how to access the streams.


  1. M. Barrett, “Harmony’s Horizon Bridge Hack,” Harmony, June 28, 2022. (accessed June 29, 2022).
  2. Harmony [@harmonyprotocol]“We are committing to a $1 million bounty for returning funds from the Horizon Bridge and sharing information about the exploits. Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will plead for no criminal charges when the funds are returned. », Twitter, June 26, 2022. (accessed June 29, 2022).
  3. “Intense DDoS attacks targeted several companies and institutions in Lithuania.” (accessed June 28, 2022).
  4. A. Sytas, “Kaliningrad sanctions to take effect, Lithuania said”, Reuters, June 18, 2022. Accessed: June 28, 2022. [Online]. Available:
  5. “Kaliningrad: Russia warns Lithuania of consequences of rail sanctions”, BBC News, June 21, 2022. Accessed: June 28, 2022. [Online]. Available:
  6. “Патрушев Пообещал литве Скорый ответ транспортную ‘блокаду’ калинингрской обласпортную,” блокаду ‘калинished (accessed June 28, 2022).
  7. A. Sytas and J. O’Donnell, “Exclusive: EU moves closer to compromise deal to defuse standoff with Russia over Kaliningrad,” Reuters, June 30, 2022. Accessed: June 30, 2022. [Online]. Available:
  8. “Killnet DDoS Attack Impacting PKN Orlen Refinery, Poland”, Atlas News, June 17, 2022. (accessed June 30, 2022).
  9. alessandro.brucato, “Killnet cyberattacks against Italy and NATO countries”, Sysdig, May 18, 2022. (accessed June 30, 2022).
  10. “ToddyCat: Unveiling of an Unknown APT Actor Attacking High-Level Entities in Europe and Asia.” (accessed June 28, 2022).

*** This is a syndicated blog from the Security Bloggers Network of Blog EclecticIQ authored by the EclecticIQ Threat Research Team. Read the original post at:


Comments are closed.