- Lazarus Group hit an individual trader for over $5.2 million using malware wallet exploits.
- They laundered 1,000 ETH via Tornado Cash and split millions into various Ethereum wallets.
North Korea’s Lazarus Group is suspected of having made a large theft of over $5.2 million in cryptocurrency from one trader on May 24. The attacker used a vulnerability in the malware to drain the balance from multiple wallets, such as exchange wallets, externally owned accounts (EOAs), and multisignature wallets.
Blockchain analyst ZackXBT confirmed the breach via his Telegram channel after he had identified three Ethereum addresses that had been used in the heist. The incident marks a shift in Lazarus’s interest since it telegraphs an increasing trend of hitting lesser-known, independent traders rather than well-known institutions or wealthy individuals.
The group laundered assets of about 1,000 ETH through Tornado Cash, a service that is commonly utilized in order to obscure the sources of stolen assets. The assets were sold shortly after the process of laundering, demonstrating the group’s fast turnaround in capitalizing on stolen funds.
Lazarus-style Tactics Emerge Again
One of the Ethereum accounts associated with the attack had approximately $2.7 million of DAI, the most predominant of the stolen assets. A second account, which is likely to be freshly created, had nine transactions throughout the weekend but transferred over 200 ETH to a single central wallet. The third account had slightly over 40 ETH and small balances in other tokens, amounting to about $1,340.
These activities resemble approaches outlined in a TRM Labs study. The paper outlined how Lazarus exports technical abilities with the help of networks of Russian and Chinese actors to convert the stolen crypto into usable assets. The research depicts a system in which stolen assets are sanitized and sold through decentralized networks and over-the-counter networks.
Another recent incident monitored by SpotOnChain in April demonstrates the group’s activities further. A wallet linked to Lazarus sold 40.78 Wrapped Bitcoin (WBTC) for $3.51 million. The Bitcoin had been purchased initially in February 2023 for nearly $1 million. It was a 251% profit margin over a period of two years, selling at a rate of $83,459 per coin.
Today, the Lazarus Group (North Korean hackers) sold 40.78 $WBTC ($3.51M) for a $2.51M profit (+251%)—after buying it 2 years ago.
They spent 999.9K $USDT to acquire the $WBTC at ~$24,521 in Feb 2023, and sold it for 1,857 $ETH at ~$86,170 just 12 hours ago.
The hackers then… pic.twitter.com/KYQmqnJnIC
— Spot On Chain (@spotonchain) April 3, 2025
Group Still Holds Over $1 Billion in Assets
Instead of depositing the converted Bitcoin gains, the money was converted to 1,847 ETH and then divided into three wallets. The biggest share went to one of the wallets, an amount of 1,865 ETH. More assets in Ethereum, totaling 2,507 ETH, were dispersed over different wallets later, which implies the group is still spreading out and hiding its assets.
The Lazarus Group had also previously been linked to the $1.5 billion hack of Bybit. There, nearly 500,000 ETH, which is estimated to be worth $1.39 billion, was laundered in less than ten days. At least $605 million had flowed through the decentralized exchange THORChain in a single day.
黑客已经把从 Bybit 盗取的 49.9 万枚 ETH ($13.9 亿) 全部清洗完了,整个过程历时 10 天。
ETH 价格在这个过程中下跌了 23% (从 $2,780 跌到现在的 $2,130)。
而黑客洗钱使用的主要通道 THORChain 也因黑客洗钱获得了 $59 亿的交易量跟 $550 万的手续费收入。
本文由 #Bitget|@Bitget_zh 赞助 https://t.co/osoKNzFhkG pic.twitter.com/QUWuMmV6zH
— 余烬 (@EmberCN) March 4, 2025
Evidence from Arkham Intelligence shows that Lazarus still holds about $1.1 billion in crypto assets. It is distributed across Bitcoin, Ethereum, and Tether, and it shows the long-term scope of their activities as well as the fact that they are still active in the dark crypto market.
Source: https://www.crypto-news-flash.com/lazarus-group-5-2m-in-crypto-stolen/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-group-5-2m-in-crypto-stolen