North Korea’s notorious hacking collective, the Lazarus Group, has continued its illicit cryptocurrency operations, laundering stolen assets while deploying sophisticated malware targeting developers. Recent reports highlight their latest activities, including a major transfer of funds and the introduction of new malicious software.

Lazarus Moves Stolen Funds Through Tornado Cash

On March 13, blockchain security firm CertiK detected a deposit of 400 ETH (worth approximately $750,000) into the Tornado Cash mixing service. This transaction was linked to Lazarus’s past exploits on the Bitcoin network, reinforcing their ongoing strategy of obfuscating stolen funds through crypto mixers.

Lazarus Group has been behind some of the largest crypto heists in history, including the $1.4 billion Bybit exchange hack in February 2024 and the $29 million Phemex exchange hack in January. These funds are being laundered through decentralized exchanges like THORChain, which do not require identity verification, making recovery efforts significantly harder. Reports indicate that in just five days, Lazarus-linked transactions on THORChain amounted to $2.91 billion.

The group’s cybercrime activities have escalated over time, with $1.3 billion stolen across 47 separate attacks in 2024, according to Chainalysis. This figure more than doubles the amount stolen in 2023, highlighting the growing threat posed by state-sponsored cybercriminals.

New Malware Targets Developers and Crypto Wallets

Alongside its laundering activities, Lazarus has been launching new attacks on software developers. Security firm Socket recently uncovered six new malicious software packages uploaded to the Node Package Manager (NPM), a widely used repository for JavaScript libraries.

One of the identified malware strains, BeaverTail, employs typosquatting tactics, mimicking the names of legitimate software packages to deceive developers into downloading them. Once installed, the malware infiltrates developer environments, stealing login credentials, cryptocurrency wallet data, and API keys.

This malware primarily targets:

  • Web browsers: Google Chrome, Brave, and Firefox
  • macOS keychain data
  • Crypto wallets: Solana and Exodus

The tactics observed in this attack align with previous Lazarus Group operations, though direct attribution remains challenging.

In addition to technical exploits, Lazarus has expanded its phishing efforts by impersonating venture capital firms and crypto investors. Hackers have been tricking crypto project founders through fake Zoom calls, sending fraudulent meeting links and claiming there are audio issues. Victims are then instructed to download a supposed fix, which installs malware on their systems, granting Lazarus access to sensitive data.

Security Recommendations

With North Korean-backed cyberattacks increasing, crypto developers, exchanges, and investors must stay vigilant. Security firms recommend the following measures to mitigate risks:

  • Avoid downloading unverified software packages from NPM and other repositories.
  • Regularly audit dependencies for any suspicious activity.
  • Use hardware wallets and multi-signature authentication to protect crypto assets.
  • Verify Zoom links and emails before engaging in sensitive online meetings.
  • Monitor on-chain transactions for signs of illicit activity linked to known bad actors.

Lazarus Group remains one of the most aggressive state-backed cybercrime syndicates, continuously evolving its methods to steal and launder digital assets. As blockchain security firms track their movements, staying informed and implementing robust security measures is essential for safeguarding the crypto ecosystem.

Bybit Suffers $1.5 Billion Hack: The Largest Crypto Heist in History | HODL FM
Bybit suffers a record $1.5B hack; Lazarus Group suspected.
hodl-post-imageHODL FM: The Wildest Ride in the Crypto MarketHODL Team
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice of this sort, HODL FM strongly recommends contacting a qualified industry professional.