Lazarus Group sends 400 ETH to Tornado Cash, deploys new malware
North Korean-affiliated hacking collective the Lazarus Group has been moving crypto assets using mixers following a string of high-profile hacks. On March 13, blockchain security firm CertiK alerted its X followers that...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
North Korean-affiliated hacking collective the Lazarus Group has been moving crypto assets using mixers following a string of high-profile hacks.
On March 13, blockchain security firm CertiK alerted its X followers that it had detected a deposit of 400 ETH (ETH) worth around $750,000 to the Tornado Cash mixing service.
“The fund traces to the Lazarus group’s activity on the Bitcoin network,” it noted.
The North Korean hacking group was responsible for the massive Bybit exchange hack that resulted in the theft of $1.4 billion worth of crypto assets on Feb. 21.
It has also been linked to the $29 million Phemex exchange hack in January and has been laundering assets ever since.
Lazarus Group crypto asset movements. Source: Certik
Lazarus has also been linked to some of the most notorious crypto hacking incidents, including the $600 million Ronin network hack in 2022.
North Korean hackers stole over $1.3 billion worth of crypto assets in 47 incidents in 2024, more than doubling thefts in 2023, according to Chainalysis data.
New Lazarus malware detectedAccording to researchers at cybersecurity firm Socket, Lazarus Group has deployed six new malicious packages to infiltrate developer environments, steal credentials, extract cryptocurrency data and install backdoors.
It has targeted the Node Package Manager (NPM) ecosystem, which is a large collection of JavaScript packages and libraries.
Researchers discovered malware called “BeaverTail” embedded in packages that mimic legitimate libraries using typosquatting tactics or methods used to deceive developers.
“Across these packages, Lazarus uses names that closely mimic legitimate and widely trusted libraries,” they added.
Related: Inside the Lazarus Group money laundering strategy
The malware also targets cryptocurrency wallets, specifically Solana and Exodus wallets, the added.
Code snippet showing Solana wallet attacks. Source: Socket
The attack targets files in Google Chrome, Brave and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the malicious packages.
The researchers noted that attributing this attack definitively to Lazarus remains challenging; however, “the tactics, techniques, and procedures observed in this npm attack closely align with Lazarus’s known operations.”
Magazine: Mystery celeb memecoin scam factory, HK firm dumps Bitcoin: Asia Express
Why this matters
This ethereum story adds another data point to the current market tape and is useful when read alongside nearby source coverage.
Original source
Read on CointelegraphRelated market context
ONDO Finance partners with SBI Group to tokenize Japanese assets using yen-backed stablecoin
Ondo Finance partners with SBI Group to tokenize Japanese equities using the JPYSC stablecoin for settlement. ONDO tokens surged 1...
Bitcoin Price Falls Under $63,000 on U.S.-Iran Strikes and Trump’s China Charge, but Onchain Data Points to Buyers
Bitcoin Magazine Bitcoin Price Falls Under $63,000 on U.S.-Iran Strikes and Trump’s China Charge, but Onchain Data Points to Buyer...
ConsenSys inadvertently hired North Korean operative who accessed MetaMask’s core code
ConsenSys inadvertently hired a North Korean operative as a developer consultant who accessed MetaMask's core code before being de...
Chainlink Holds Support As CCIP Adoption Becomes A Longer-Term Test
Chainlink is holding near a key support area while the market continues to judge whether its cross-chain infrastructure story can...
Solana Tests $77 Support As Risk-Off Pressure Spreads Across Layer 1s
Solana is back near an important support zone as risk-off pressure spreads through the crypto market and traders reassess exposure...
Iran strikes northern Iraq as US sanctions hit Iranian crypto exchanges
Iran launched strikes on Sulaymaniyah in northern Iraq amid 200 attacks since March 2026, as US Treasury sanctions Iranian crypto...