TLDR
- Lazarus Group transferred 400 ETH ($750,000) to Tornado Cash mixer on March 13, 2025
- The North Korean hacking collective was behind the $1.4 billion Bybit exchange hack in February 2025
- Researchers discovered six new malicious packages including “BeaverTail” targeting developers through NPM
- The malware specifically targets cryptocurrency wallets including Solana and Exodus
- North Korean hackers stole over $1.3 billion in crypto across 47 attacks in 2024, double the amount stolen in 2023
The North Korean-affiliated Lazarus Group has moved 400 ETH worth about $750,000 to the Tornado Cash mixing service while deploying new malware targeting crypto developers, according to recent reports.
Blockchain security firm CertiK detected the transfer on March 13. The company reported that the funds were traced back to the hacking group’s activity on the Bitcoin network.
The Lazarus Group has been linked to several major crypto hacks in recent months. They were responsible for the massive Bybit exchange hack that resulted in the theft of $1.4 billion worth of crypto assets on February 21.
The group was also connected to the $29 million Phemex exchange hack in January. They have been laundering assets from these attacks in the weeks following the breaches.
To hide their tracks, the hackers have employed various techniques. They used decentralized exchanges like THORChain, which don’t require identity verification.
$2.91 billion was moved through THORChain
Reports indicate that in just five days, approximately $2.91 billion was moved through THORChain. This makes it much harder for authorities to track and recover the stolen funds.
Beyond moving stolen assets, the group has expanded its malware operations. Cybersecurity firm Socket discovered six new malicious packages deployed by Lazarus Group to infiltrate developer environments.
The malware targets the Node Package Manager (NPM) ecosystem. This is a large collection of JavaScript packages and libraries used by developers worldwide.
Researchers identified a malware strain called “BeaverTail” embedded in these packages. The hackers use typosquatting tactics to deceive developers into downloading malicious code.
Typosquatting involves creating package names that closely mimic legitimate and widely trusted libraries. This tricks developers into installing the wrong package by mistake.
The malicious software specifically targets cryptocurrency wallets. It focuses on Solana and Exodus wallets, extracting sensitive wallet data from users’ computers.
The attack also targets files in Google Chrome, Brave, and Firefox browsers. It looks for credential information stored in these applications and extracts it for the hackers.
On macOS systems, the malware targets keychain data. This puts developers who might unknowingly install the packages at high risk of cryptocurrency theft.
Hackers pose as venture capitalists
The group has also been attempting to trick crypto founders through fake Zoom calls. Hackers pose as venture capitalists and send fake meeting links with supposed audio issues.
When victims download what they believe is a fix for the audio problem, malware is installed instead. Security researchers have reported multiple crypto founders encountering these scams.
According to data from Chainalysis, North Korean hackers stole over $1.3 billion worth of crypto assets across 47 incidents in 2024. This more than doubles the amount they stole in 2023.
The Lazarus Group’s ongoing operations highlight the persistent threat faced by the cryptocurrency industry. Both exchanges and individual developers continue to be targeted by these state-sponsored attackers.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
