Lazarus Group Transfers 400 ETH and Launches New Cyber Attacks

• Lazarus Group transferred 400 ETH ($750,000) to Tornado Cash and laundered $2.91 billion through THORChain within the last five days.
• They have also infected the NPM ecosystem with a harmful packages like “BeaverTail” to steal credentials and access crypto wallets 

Lazarus Group, linked to North Korea, continues to launder crypto by moving different tokens and using fresh malware to attack developers and steal digital assets.

On March 13, a  blockchain security company, CertiK shared a post on their  X account stating that they detected a  deposit of 400 ETH, which is valued at about $750,000, into Tornado Cash.

#CertiKInsight 🚨

We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.

The fund traces to the Lazarus group’s activity on the Bitcoin network.

Stay Vigilant! pic.twitter.com/IHwFwt5uQs

The funds transferred were linked to Lazarus Group’s activities on the Bitcoin network. The North Korean hacking organization has been involved in various crypto breaches, including the $1.4 billion Bybit attack in February.

Lazarus Group’s Use of Malware and Crypto Laundering Techniques 

Another cybersecurity firm has also found out that Lazarus Group released six harmful packages to infect developer systems, steal their credentials, access crypto data, and install hidden access points. 

According to the firm, the hackers targeted the Node Package Manager (NPM) ecosystem, which contains many JavaScript libraries. A particular Malware named “BeaverTail” was embedded in packages designed to look like real ones using typosquatting techniques to trick developers. 

So in simpler terms, The hackers attacked the NPM, a place with many JavaScript tools and hid a bad program called “BeaverTail” inside fake files to fool developers.

After the attack, the group tried to hide the stolen assets through different methods, including using THORChain, a decentralized exchange that does not need any identity verification. 

Reports show that within five days, about $2.91 billion passed through THORChain, which made it so difficult to track and recover the stolen funds.

Lazarus Group has been scamming different crypto founders with fake Zoom calls. They pose as investors,  send false meeting links and claim there are sound problems. Once the victims download a supposed fix, the malware infects their whole device. Most malware targets crypto wallets, especially Solana and Exodus.

Security experts say many have fallen for this trick. Chainalysis reports that the Lazarus Group has stolen over $1.3 billion in crypto from 47 attacks in 2024, more than twice the amount they stole in 2023. 

Related Reading | Avalanche price Faces 24% drop: ETF Approval to Help Conditions