North Korean-affiliated hacking collective Lazarus Group has been laundering stolen cryptocurrency using mixing services following a series of high-profile cyberattacks.
Blockchain security firm CertiK reported a 400 ETH deposit—valued at approximately $750,000—into Tornado Cash, a well-known crypto mixer. The firm traced these funds back to Lazarus Group’s activity on the Bitcoin network.
The notorious hacking group was behind the February 21 attack on Bybit, which resulted in the theft of 400,000 Ethereum, worth around $1.5 billion. This incident is now considered the largest cryptocurrency exchange hack to date. The group was also responsible for the $29 million Phemex exchange hack in January and has been actively laundering assets ever since.
Cybersecurity researchers at Socket revealed that Lazarus Group has deployed six new malicious packages designed to infiltrate developer environments. These packages extract cryptocurrency data, steal credentials, and install backdoors. The group has specifically targeted the Node Package Manager (NPM) ecosystem, which hosts a vast collection of JavaScript packages and libraries.
Malware named “BeaverTail” was found embedded in packages that imitate legitimate libraries using typosquatting techniques. The latest attack also employs a new VNC-based malware that enables remote control of infected systems. This sophisticated tool can bypass traditional security measures, making detection and mitigation significantly more difficult.
The hackers primarily target files stored in Google Chrome, Brave, and Firefox browsers, along with keychain data on macOS. Developers who unknowingly install the malicious packages remain particularly vulnerable. In addition, Indian media sources reported that WazirX, was hacked, leading to a loss of $234.9 million in digital assets. Most recently the group was affiliated with the ByBit hack.
Lazarus Group has a long history of cybercrime, particularly in the financial sector. Believed to operate under the North Korean regime, the group has been linked to numerous cryptocurrency ransomware attacks. It uses sophisticated hacking techniques to fund North Korea’s illicit programs, including weapons development. The use of Tornado Cash highlights ongoing efforts to obscure stolen funds, complicating law enforcement efforts to track and recover assets.
