Lazarus Group Launders Crypto via Mixers, Deploys New Malware Targeting Developers

On March 13, blockchain security firm CertiK flagged a 400 ETH deposit valued at approximately $750,000 into the Tornado Cash mixing service. According to CertiK, the funds originated from Lazarus’ activities on the Bitcoin network.

“The fund traces to the Lazarus group’s activity on the Bitcoin network,” 

CertiK noted. 

Lazarus has been linked to several major crypto exchange breaches, including the Bybit hack on February 21, where $1.4 billion was stolen. The group was also behind the $29 million Phemex exploit in January and has been laundering stolen assets ever since. Notably, Lazarus was responsible for some of the largest crypto hacks in history, including the $600 million Ronin bridge attack in 2022.

Data from Chainalysis reveals that in 2023, North Korea-affiliated hackers stole approximately $660.50 million across 20 incidents; in 2024, this number increased to $1.34 billion stolen across 47 incidents — a 102.88% increase in value stolen. These figures represented 61% of the total amount stolen for the year and 20% of total incidents.

Similarly, cybersecurity researchers at Socket uncovered six new malicious packages deployed by Lazarus to compromise developer environments. These packages, embedded in the Node Package Manager (NPM) ecosystem, are designed to steal credentials, extract cryptocurrency-related data, and install backdoors.

Notably, Researchers identified a malware strain called “BeaverTail,” which uses typosquatting tactics—mimicking legitimate JavaScript libraries with slightly altered names to deceive developers into installing them. The malware is hazardous as it targets cryptocurrency wallets, including Solana and Exodus, and harvests sensitive data from browsers such as Google Chrome, Brave, and Firefox. On macOS, it goes further, attempting to access keychain data to compromise stored credentials. While definitive attribution remains challenging, researchers emphasized that the tactics, techniques, and procedures (TTPs) closely align with Lazarus’ known operations.

If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter , LinkedIn , Facebook , Instagram , and CoinMarketCap Community.

“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”