North Korea’s Lazarus Group continues its crypto laundering operations, moving illicit funds while deploying new malware to target developers and steal digital assets.
On Mar. 13, blockchain security firm CertiK detected a deposit of 400 Ethereum (ETH), worth around $750,000, to Tornado Cash. The transaction was traced back to Lazarus’s activity on the Bitcoin (BTC) network. The group has been linked to multiple high-profile hacks, including the $1.4 billion Bybit exploit in February.
We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.The fund traces to the Lazarus group's activity on the Bitcoin network.
Stay Vigilant! pic.twitter.com/IHwFwt5uQs
— CertiK Alert (@CertiKAlert) March 13, 2025
Following the hack, the group concealed the stolen funds using a variety of techniques. To exchange and transfer large amounts of cryptocurrency, they used decentralized exchanges like THORChain (RUNE), which do not require identity checks.
Reports show that in just five days, around $2.91 billion was moved through ThorChain, making it much harder to track and recover the money.
In another wave of cyber attacks, Lazarus Group has also launched six new malicious software packages on the Node Package Manager platform, a tool used by developers to manage and install JavaScript packages for their projects. On Mar. 11, security firm Socket published a report on the malware, which is designed to steal credentials and crypto wallet data.
The malware, including a package called BeaverTail, disguises itself as legitimate JavaScript libraries using typosquatting, where attackers slightly alter the names of trusted software to trick developers into downloading it. It primarily targets stored credentials in Chrome, Brave, and Firefox browsers, as well as Solana and Exodus wallets.
Additionally, the group has been trying to trick crypto founders by using fake Zoom calls. Hackers pose as venture capitalists and send fake meeting links, claiming audio issues. When victims download a supposed fix, malware is installed. Security researchers have reported that several crypto founders have encountered these scams.
According to Chainalysis, North Korean hackers stole over $1.3 billion in crypto across 47 attacks in 2024, more than double the amount stolen in 2023.
