The North Korean-affiliated Lazarus Group is again at the center of a major cryptocurrency laundering operation. On March 13, blockchain security firm CertiK flagged a suspicious deposit of 400 ETH, valued at approximately $750,000, to the Tornado Cash mixing service. The deposit was traced to the hacking collective’s activity on the Bitcoin network.
CertiK posted the alert on X, warning the crypto community:
The latest laundering effort follows a series of high-profile crypto heists. In February, the Lazarus Group was identified as the entity behind the Bybit exchange hack, which resulted in $1.4 billion in stolen crypto assets. Just weeks earlier, the group was linked to a $29 million theft from the Phemex exchange in January.
According to blockchain analytics firm Chainalysis, North Korean hackers stole over $1.3 billion in crypto assets across 47 incidents in 2024 alone—more than doubling the amount stolen in 2023. The Lazarus Group has been implicated in some of the largest crypto thefts in history, including the $600 million Ronin network hack in 2022.
New Malware Targets Developers and Crypto Wallets
Beyond laundering stolen funds, Lazarus Group has been deploying a new wave of crypto-stealing malware. Cybersecurity firm Socket reported that the hackers released six malicious packages targeting developer environments, cryptocurrency wallets, and browser-stored credentials.
The malware campaign infiltrates the Node Package Manager (NPM) ecosystem, a widely used JavaScript package repository. Researchers discovered a strain named “BeaverTail,” which utilizes typosquatting—a tactic where malicious packages are named similarly to legitimate libraries to deceive developers.
“Across these packages, Lazarus uses names that closely mimic legitimate and widely trusted libraries,” Socket researchers stated.
The malware specifically targets Solana and Exodus crypto wallets. Code snippets from the attack show that it extracts wallet data from Google Chrome, Brave, and Firefox browsers. On macOS, it attempts to steal keychain data.
Although definitive attribution remains difficult, Socket researchers noted that “the tactics, techniques, and procedures observed in this npm attack closely align with Lazarus’s known operations.”
