North Korea's Lazarus Group Caught Laundering $1.95 Million in Stolen Ethereum via Tornado Cash 🚨
The notorious North Korean hacking syndicate, the Lazarus Group, has once again been caught using the controversial crypto mixer Tornado Cash to launder its illicit gains. Esteemed blockchain investigator ZachXBT has identified the group moving $1.95 million worth of stolen Ethereum (ETH) in a clear attempt to cover its tracks.
How the Heist and Laundering Operation Unfolded
According to a detailed analysis by ZachXBT, the funds originate
from a crypto theft that occurred on May 16, 2025. In that attack, a
single victim lost a staggering $3.2 million from multiple Solana
addresses. The hackers acted swiftly, selling the stolen assets on the open
market and then bridging the funds over to the Ethereum blockchain.
Once on Ethereum, they began the laundering process. The group deposited a
total of 800 ETH into Tornado Cash through two separate
transactions:
- 400 ETH (approx. $975,000) was deposited on June
25.
- An additional 400 ETH (approx. $975,000) followed
on June 27.
ZachXBT also noted that approximately $1.25 million in DAI and Ethereum remains untouched in the hackers' holding address, identified as "0xa5f". The original Solana address where the theft occurred is "C4WY1.”
A Persistent Threat with a Clear Motive
The Lazarus Group is far from an ordinary cybercriminal
organization. It is a state-sponsored hacking collective operating on behalf of
the North Korean regime, tasked with conducting large-scale cyberattacks to
generate revenue and fund the country's sanctioned weapons programs. The group
has been implicated in the theft of billions of dollars in cryptocurrency
since 2018 through sophisticated exchange hacks, ransomware attacks, and
phishing schemes, earning them heavy U.S. Treasury sanctions.
The hackers’ tool of choice in this operation, Tornado Cash, has
become infamous for its role in high-profile money laundering cases.
This activity comes despite intense international scrutiny of the platform. The
U.S. Treasury Department officially sanctioned Tornado Cash in 2022,
effectively banning American citizens and entities from using it, citing its
extensive use by illicit actors like the Lazarus Group in laundering
proceeds from major hacks, including the colossal $625 million Ronin Bridge
attack. The ongoing legal battles involving the mixer's developers further
underscore the global crackdown on privacy tools that can be exploited for
illicit finance.
Authorities and on-chain investigators like ZachXBT will undoubtedly keep a
close watch on the remaining $1.25 million. However, the use of Tornado Cash
significantly complicates these efforts. The Ethereum-based tool is designed to
break the on-chain link between the source and destination of funds,
deliberately obscuring transaction trails and making them incredibly difficult
to follow.
This incident serves as another stark reminder of the persistent security threats within the digital asset space and the advanced cross-chain tactics employed by groups like Lazarus.