Cryptographers are increasing alarms after $3.2 million was released from multiple Solana wallets on May 16, 2025. The stolen assets were sold quickly in chains and bridging to Ethereum, some of which were washed through tornado cash.
On May 16, the victim’s Solana address was empty in the token and then converted the assets to Ethereum through the bridge before a portion of the bridge was deposited in tornado cash.
Blockchain researcher ZACHXBT publicly flagged the exploit, bringing out similarities to previous Lazarus activities.
Hackers have buried the stolen funds
The blockchain detective first raised the alarm after observing a large transfer from Solana’s address, “C4wy…e525.”
Linked to the infamous Lazarus group, these transactions involved moving stolen tokens through the bridge and converting them to Ethereum. Zachxbt flagged the attack by monitoring the bridge’s activity and tracking funds that ultimately end in Ethereum’s wallet network.
On June 25th and June 27th, 400 ETH was sent to Tornado Cash in two separate deposits. The 800 ETH transactions totaling around $1.6 million are consistent with the Lazarus Group’s well-documented laundry tactics.
Following famous hacks like Bybit, where $1.5 billion was stolen in February 2025 and $100 million was stolen from Harmony’s Horizon Bridge in 2022, Lazarus used repeated tornado cash, decentralized exchanges and cross-chain bridges to win the Transpie trail.
Ethereum, held in a combination of DAI and ETH, approximately $1.25 million still exists in wallet addresses identified as “0xA5…D528.” Analysts speculate that these funds will be parked for future laundry or are intentionally dormant to mitigate detection risk.
Lazarus Group has been active since 2017
The Lazarus Group has gained a reputation as a cybercriminal organization associated with the most prolific states, and North Korea’s sanctions designate them as a sophisticated, persistent threat linked to Pyongyang’s elite military intelligence units. Over the years, they have stole billions of dollars on Crypto since 2017.
Their modalities often start with a major phishing or malware-based personnel intrusion, and take advantage of flaws in smart contracts and wallet vulnerabilities. Once funds are obtained, they are rapidly converted into liquid assets, split into multiple wallets, washed throughout the chain using mixers such as tornado cash and services, providing instant swaps without knowing customer (KYC) requirements.
Tornado cash is central to Lazarus’ laundry strategy. Although US sanctions were imposed in 2022, decentralized hosting and immutability allowed services to avoid permanent shutdowns. In January 2025, the US Court of Appeals overturned these sanctions by citing free speech considerations, despite increasing evidence linking Lazarus to continued use of the mixer.
Exchanges with regulators may take steps to mark flagged addresses as suspicious. However, the speed and complexity of Lazarus’ laundry pipeline keeps the mixing service proven enough to hide the movement of stolen funds.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
