North Korea's Lazarus Group continues crypto laundering operations, deploying new malware to target developers

On Mar. 13, blockchain security firm CertiK detected a deposit of 400 Ethereum (ETH), worth around $750,000, to Tornado Cash. The transaction was traced back to Lazarus's activity on the Bitcoin (BTC) network.

North Korea's notorious Lazarus Group, known for its persistent crypto laundering operations and cyberattacks, continues to deploy new malware to steal digital assets from developers.

The group's activity was evident as early as March 13, when CertiK, a leading blockchain security firm, detected a substantial deposit of 400 Ethereum (ETH), valued at approximately $750,000, into Tornado Cash.

Further analysis revealed that the ETH deposit was part of a broader transaction on the Bitcoin (BTC) network, directly linked to Lazarus Group's operations.

This activity follows the group's involvement in the massive $1.4 billion Bybit exploit, which unfolded on February 20.

Following the heist, Lazarus Group engaged in sophisticated efforts to launder the stolen BTC, aiming to obfuscate its trail and maximize gains.

To facilitate the exchange and transfer of such large cryptocurrency amounts, the hackers utilized decentralized exchanges (DEXs), such as THORChain (RUNE), which do not require identity verification.

This strategy aligns with Lazarus Group's broader goal of evading detection by cryptocurrency exchanges, which typically require Anti-Money Laundering (AML) procedures.

Reports from Token Terminal indicate that an astounding $2.91 billion flowed through ThorChain in just five days, beginning March 10.

This volume of transactions is significantly higher than usual, suggesting a concentrated effort to move and mix the stolen funds.

In another wave of cyber attacks, Lazarus Group has also deployed six new malicious software packages on the Node Package Manager (npm) platform.

npm is a critical tool used by web3 developers to manage and install JavaScript packages for their projects.

On March 11, security firm Socket published an analysis of the malware, highlighting its design to steal credentials and crypto wallet data.

The malware, which includes a package called BeaverTail, is disguised as legitimate JavaScript libraries using a common technique called typosquatting.

This method involves slightly altering the names of trusted software to deceive developers into downloading it.

The primary targets of the malware are stored credentials for Chrome, Brave, and Firefox browsers, as well as Solana and Exodus wallets.

The group has also been attempting to deceive crypto founders with fake Zoom calls.

Hackers are posing as venture capitalists (VCs) and sending crypto founders fake meeting links with claims of audio issues.

When victims download a supposed Zoom audio fix, malware is installed on their devices.

Security researchers have reported that several crypto founders have encountered these scams, confirming the scale of Lazarus Group's efforts.

According to Chainalysis, North Korean hackers stole over $1.3 billion in crypto across 47 attacks in 2024, more than double the amount stolen in 2023.

The majority of these funds were stolen from DeFi protocols, with smaller amounts taken from centralized exchanges and hot wallets.

As Lazarus Group continues its crypto heist and laundering operations, the broader blockchain community is urged to remain vigilant and prioritize robust security measures to mitigate the threat posed by these sophisticated hackers.