According to blockchain investigator ZackxBT, the North Korean Lazarus Group is linked to a cyber attack that stole over $5.2 million on May 24th on May 24th. Theft occurred through sophisticated malware attacks, where funds were sucked up from several wallet types, including multisigs, externally owned accounts (EOAS), and exchange wallets.
Incident revealed in Zackxbt’s telegram channel On Tuesday, the group hinted that it could be shifting its focus from wealthy individuals and businesses to individual traders in the daytime.
After the robbery, around 1,000 ETH, a cryptographic mix service commonly used to obscure the origins of stolen digital assets, was poured into Tornado Cash. The stolen assets were quickly liquidated in the open market.
Tracked addresses, tornado cash used to wash funds
Zachxbt’s channel lists three Ethereum addresses tied to the robbery. In addition to the minor token balances for QBX, Blocklords, Astra Protocol and DAI, it totals around $1,340 with over 40 ETH at its main address, which is around $107,000 at its current market value. These funds are considered to be part of the profits of malware attacks.
Last weekend, nine transactions were processed using the second address, which seemed new. Over 200 ETH has been sent to the main address. Finally, at the time of this publication, the other crypto addresses held approximately $2.7 million in DAI. This was the majority of the funds that were stolen.
This behavioral pattern is consistent with that found in a recent study by TRM Labs. TRMLabs details the global web of Russian criminal organizations used by North Korea to wash its illegal interests and Chinese commercial brokers.
The report claims that Lazarus provides technical expertise, but its partners provide a channel for legally consolidating stolen funds into the market.
Money laundering will continue in the second quarter of 2025
In April, blockchain analytics firm Spotonchain reported a wallet that was thought to be linked to Lazarus, which was offloaded for $3.51 million, with 40.78 wrapped Bitcoin (WBTC) for $3.51 million. Bitcoin originally purchased for around $999,900 when WBTC traded for $24,521 in February 2023, was sold for $83,459 per coin for a profit of 251% over two years.
Today, the Lazarus Group (North Korean hackers) sold $40.78 WBTC ($3.51 million) for a profit of $2.51 million (+251%) after purchasing it two years ago.
They spent 999.9K$USDT to get $24,521 in February 2023 and sold for $1,857 ETH for $86,170 just 12 hours ago.
Hackers…pic.twitter.com/kyqmqnjnic
– April 3, 2025, spots from the chain (@spotonchain)
The revenue was converted to 1,847 ETH, which was later split into three wallets. The largest tranche of 1,865 ETH was tracked by another wallet reportedly run by the group. Instead of keeping the translated ETH, Lazarus distributed 2,507 ETHs across multiple addresses.
The DPRK link hacker was also connected to Bybit Crypto Exchange’s infamous $1.5 billion hack. In the aftermath of the violation, the group allegedly washed nearly 500,000 ETH, worth around $13.9 billion across multiple transactions within just 10 days.
The hackers cleaned up all 499,000 ETH ($13.9 billion) stolen from Bybit, and the entire process lasted for 10 days.
ETH prices fell 23% in the process (currently from $2,780 to $2,130).
Thorchain, the main channel for hackers to use money laundering, earned $5.9 billion in trading volume and $5.5 million in handling fee revenue for hackers’ laundry money.
This article is sponsored by #bitget | @bitget_zh https://t.co/osoknzfhkg pic.twitter.com/quwummv6zh
– Embers (@embercn) March 4, 2025
It had at least $655 million Leak Through the decentralized liquidity protocol Thorchain in one day. However, blockchain intelligence platform Arkham Intelligence estimates that the wallet tied to Lazarus still holds around $1.1 billion in crypto reserves.
Cybercrime fundraising nuclear ambition
United Nations investigators overseeing sanctions compliance We believe that revenue from these cyberattacks is being poured into North Korea’s arms development programme. Between 2017 and 2023, the country has used crypto-based revenue streams to improve missile technology and increase its ability to hit targets well beyond the Korean Peninsula.
Chain Orisis, a report published last December Confirmed Hackers associated with the administration stole over $1.3 billion in cryptocurrency in 47 cases in 2024.
“Hackers linked to North Korea have become famous for their sophisticated and merciless productsChainalysis Insight said these efforts are being used to avoid international sanctions and fund illegal operations in the state.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
