North Korea’s Lazarus Group has been linked to a cyberattack that stole more than $5.2 million from a crypto trader on May 24, according to blockchain investigator ZackXBT. The theft occurred through a sophisticated malware attack, with funds siphoned from several wallet types including multisig, externally owned accounts (EOAs), and exchange wallets.
The incident, revealed on ZackXBT’s Telegram channel on Tuesday, insinuated that the group could be changing their focus from high-net-worth individuals and companies to intraday individual traders.
After the heist, approximately 1,000 ETH was funneled into Tornado Cash, a crypto-mixing service commonly used to obscure the origin of stolen digital assets. The stolen assets were then promptly liquidated on the open market.
Addresses traced, Tornado Cash used to launder funds
ZachXBT’s channel listed three Ethereum addresses tied to the heist. Along with minor token balances of QBX, Blocklords, Astra Protocol, and DAI totaling around $1,340, the principal address had more than 40 ETH, which is around $107,000 at current market values. It is thought that these funds were part of the malware attack’s profits.
Last weekend, just nine transactions were processed using the second address, which seemed to be new. It sent more than 200 ETH to the main address. Finally, as of this publication, the other crypto address held around $2.7 million DAI, which was the majority of the stolen funds.
This pattern of conduct is consistent with what was found in a recent study by TRM Labs, which details the worldwide web of Russian criminal organizations and Chinese over-the-counter brokers that North Korea uses to launder its illegal profits.
The report alleges that Lazarus supplies the technical expertise, but their partners provide the channels to integrate stolen funds into markets legitimately.
Money laundering continues in Q2 2025
In April, blockchain analytics firm SpotOnChain reported that a wallet believed to be associated with Lazarus offloaded 40.78 Wrapped Bitcoin (WBTC) for $3.51 million. The Bitcoin, originally purchased in February 2023 for about $999,900 when WBTC traded at $24,521, was sold at $83,459 per coin for a profit of 251% over two years.
Today, the Lazarus Group (North Korean hackers) sold 40.78 $WBTC ($3.51M) for a $2.51M profit (+251%)—after buying it 2 years ago.
They spent 999.9K $USDT to acquire the $WBTC at ~$24,521 in Feb 2023, and sold it for 1,857 $ETH at ~$86,170 just 12 hours ago.
The hackers then… pic.twitter.com/KYQmqnJnIC
— Spot On Chain (@spotonchain) April 3, 2025
The proceeds were converted into 1,847 ETH and later split among three wallets. The largest tranche of 1,865 ETH was traced to another wallet reportedly operated by the group. Instead of holding the converted ETH, Lazarus distributed 2,507 ETH across multiple addresses.
DPRK-linked hackers were also connected to the infamous $1.5 billion hack on the Bybit crypto exchange. In the aftermath of the breach, the group allegedly laundered nearly 500,000 ETH, equivalent to about $1.39 billion, across multiple transactions within just ten days.
黑客已经把从 Bybit 盗取的 49.9 万枚 ETH ($13.9 亿) 全部清洗完了,整个过程历时 10 天。
ETH 价格在这个过程中下跌了 23% (从 $2,780 跌到现在的 $2,130)。
而黑客洗钱使用的主要通道 THORChain 也因黑客洗钱获得了 $59 亿的交易量跟 $550 万的手续费收入。
本文由 #Bitget|@Bitget_zh 赞助 https://t.co/osoKNzFhkG pic.twitter.com/QUWuMmV6zH
— 余烬 (@EmberCN) March 4, 2025
At least $605 million was funneled through the decentralized liquidity protocol THORChain in a single day. Yet, blockchain intelligence platform Arkham Intelligence estimates that wallets tied to Lazarus still hold approximately $1.1 billion in crypto reserves, including significant holdings in Bitcoin, Ethereum, and Tether.
Cybercrime funding nuclear ambitions
United Nations investigators monitoring sanctions compliance believe that the proceeds from these cyberattacks are being funneled into North Korea’s weapons development programs. Between 2017 and 2023, the country reportedly used crypto-based revenue streams to improve its missile technology, increasing its capacity to strike targets far beyond the Korean peninsula.
In a report published last December, Chainalysis confirmed that hackers connected to the regime stole over $1.3 billion in cryptocurrency in 2024 across 47 incidents.
“Hackers linked to North Korea have become notorious for their sophisticated and relentless tradecraft,” the Chainalysis insight said, noting that these efforts are used to bypass international sanctions and fund the state’s illicit operations.
