The Lazarus Group Exploits Tornado Cash to Launder Stolen Crypto

The Lazarus Group, a hacking collective affiliated with North Korea, continues its illegal activities by exploiting crypto.

A transaction of 400 ETH, roughly 750,000 dollars, was spotted heading towards Tornado Cash from an address identified by security firm CertiK as belonging to Lazarus Group, a North Korean hacking collective.

Known for exploiting crypto and pivoting towards software developers, the group is no stranger to illicit activities in the crypto sphere.

Earlier this year, the group was seen attempting to steal 1.4 billion dollars from Bybit and later 29 million dollars from Phemex. However, both attempts were thwarted by the swift response of the exchange’s security teams.

The fact that a transaction of this size is still being detected several months later highlights the difficulties faced by authorities in tracing and recovering stolen crypto funds.

In five days, nearly 2.91 billion dollars is estimated to have flowed through this decentralized protocol, rendering any recovery attempt extremely complicated.

For several years, Lazarus has relied on various methods to evade authorities, such as exploiting mixers like Tornado Cash. These services, although legitimate for preserving the confidentiality of crypto transactions, are often diverted for criminal purposes.

Earlier this year, the U.S. Treasury sanctioned Tornado Cash for its role in laundering at least 7 billion dollars in digital assets, a move that signaled increased efforts to crack down on illicit financial activities within the crypto space.

However, despite these efforts, hackers continue to find new ways to exploit vulnerabilities and steal crypto.

Recently, six new malwares created by Lazarus have been spotted on the Node Package Manager (NPM) platform, an essential service for managing JavaScript libraries used by web3 developers.

Among them is the malicious software BeaverTail, which mimics popular libraries by slightly altering their names, a technique known as typosquatting. This allows hackers to deceive developers into installing malware instead of the intended library.

These malwares grant hackers access to sensitive data such as credentials stored in Chrome, Brave, and Firefox browsers, as well as Solana and Exodus wallets.

Moreover, several crypto entrepreneurs have been targeted by fake Zoom invitations, where hackers pose as crypto investors and trick their victims into downloading infected files.

According to Chainalysis, North Korean hackers have stolen 1.3 billion dollars in 2024, more than double that of the previous year. This increase highlights a persistent threat to the security of crypto assets.

The use of Tornado Cash and THORChain thus underscores the difficulties faced by authorities in tracing and blocking these funds. In the face of these repeated attacks, crypto developers and companies must strengthen their security measures to limit their exposure to cybercriminals.