North Korea's Lazarus Group Caught Laundering $1.95 Million in Stolen Ethereum via Tornado Cash 🚨

The notorious North Korean hacking syndicate, the Lazarus Group, has once again been caught using the controversial crypto mixer Tornado Cash to launder its illicit gains. Esteemed blockchain investigator ZachXBT has identified the group moving $1.95 million worth of stolen Ethereum (ETH) in a clear attempt to cover its tracks.

How the Heist and Laundering Operation Unfolded

According to a detailed analysis by ZachXBT, the funds originate from a crypto theft that occurred on May 16, 2025. In that attack, a single victim lost a staggering $3.2 million from multiple Solana addresses. The hackers acted swiftly, selling the stolen assets on the open market and then bridging the funds over to the Ethereum blockchain.

Once on Ethereum, they began the laundering process. The group deposited a total of 800 ETH into Tornado Cash through two separate transactions:

• 400 ETH (approx. $975,000) was deposited on June 25.
• An additional 400 ETH (approx. $975,000) followed on June 27.

ZachXBT also noted that approximately $1.25 million in DAI and Ethereum remains untouched in the hackers' holding address, identified as "0xa5f". The original Solana address where the theft occurred is "C4WY1.”

A Persistent Threat with a Clear Motive

The Lazarus Group is far from an ordinary cybercriminal organization. It is a state-sponsored hacking collective operating on behalf of the North Korean regime, tasked with conducting large-scale cyberattacks to generate revenue and fund the country's sanctioned weapons programs. The group has been implicated in the theft of billions of dollars in cryptocurrency since 2018 through sophisticated exchange hacks, ransomware attacks, and phishing schemes, earning them heavy U.S. Treasury sanctions.

The hackers’ tool of choice in this operation, Tornado Cash, has become infamous for its role in high-profile money laundering cases. This activity comes despite intense international scrutiny of the platform. The U.S. Treasury Department officially sanctioned Tornado Cash in 2022, effectively banning American citizens and entities from using it, citing its extensive use by illicit actors like the Lazarus Group in laundering proceeds from major hacks, including the colossal $625 million Ronin Bridge attack. The ongoing legal battles involving the mixer's developers further underscore the global crackdown on privacy tools that can be exploited for illicit finance.

Authorities and on-chain investigators like ZachXBT will undoubtedly keep a close watch on the remaining $1.25 million. However, the use of Tornado Cash significantly complicates these efforts. The Ethereum-based tool is designed to break the on-chain link between the source and destination of funds, deliberately obscuring transaction trails and making them incredibly difficult to follow.

This incident serves as another stark reminder of the persistent security threats within the digital asset space and the advanced cross-chain tactics employed by groups like Lazarus.