North Korean Hackers Transfer $750,000 in ETH to Tornado Cash, Deploy New Malware

TLDR

• Lazarus Group deposited 400 ETH (~$750,000) to Tornado Cash on March 13, 2025
• The North Korean hackers were linked to February’s $1.4 billion Bybit hack
• Six new malicious packages called “BeaverTail” were deployed on NPM to steal credentials and crypto wallet data
• The malware targets Chrome, Brave, Firefox browsers, and Solana/Exodus wallets
• North Korean hackers stole over $1.3 billion in crypto across 47 attacks in 2024, double the amount stolen in 2023

North Korea’s Lazarus Group has moved 400 Ethereum (ETH) worth approximately $750,000 to Tornado Cash mixing service on March 13, 2025. Blockchain security firm CertiK detected the transaction and traced it back to the group’s activity on the Bitcoin network.

#CertiKInsight ?

We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.

The fund traces to the Lazarus group's activity on the Bitcoin network.

Stay Vigilant! pic.twitter.com/IHwFwt5uQs

— CertiK Alert (@CertiKAlert) March 13, 2025

The Lazarus Group has been connected to many large crypto hacks. They were responsible for the $1.4 billion Bybit exchange hack in February 2025. They were also linked to the $29 million Phemex exchange hack in January.

After the Bybit hack, the group used various methods to hide the stolen funds. They used decentralized exchanges like THORChain that don’t require identity checks. Reports show that around $2.91 billion was moved through THORChain in just five days.

This made it much harder for authorities to track and recover the stolen money. The group has become known for using mixing services and other techniques to launder cryptocurrency after their attacks.

The hacking group has also started a new malware campaign. On March 11, security firm Socket reported that the group had launched six new malicious software packages on the Node Package Manager (NPM) platform.

NPM is a tool used by developers to manage and install JavaScript packages for their projects. The malware, including a package called “BeaverTail,” is designed to steal credentials and crypto wallet data.

Typosquatting

The hackers use a trick called typosquatting. This involves slightly changing the names of trusted software to fool developers into downloading the malicious versions. For example, they might create packages with names very similar to legitimate and widely used libraries.

The malware targets stored credentials in Chrome, Brave, and Firefox browsers. It also specifically looks for data from Solana and Exodus cryptocurrency wallets.

Socket researchers noted that while it’s challenging to attribute this attack with absolute certainty, “the tactics, techniques, and procedures observed in this npm attack closely align with Lazarus’s known operations.”

Fake Zoom Calls

The North Korean hackers have also tried to trick crypto founders with fake Zoom calls. They pose as venture capitalists and send fake meeting links. When they claim to have audio issues, they send victims a supposed fix that actually installs malware.

Security researchers have reported that several crypto founders have encountered these scams. The approach shows how the group adapts their methods to target specific people in the cryptocurrency industry.

The Lazarus Group has a long history of crypto attacks. They were behind the $600 million Ronin network hack in 2022, one of the largest crypto thefts in history.

According to data from Chainalysis, North Korean hackers stole over $1.3 billion in cryptocurrency across 47 different attacks in 2024. This amount is more than double what they stole in 2023.

The increase in both the number and size of attacks shows that North Korean hacking operations are growing. Cybersecurity experts warn that the group continues to develop new methods to steal and launder digital assets.

CertiK and other security firms continue to monitor blockchain transactions to detect suspicious activity. Their work helps exchanges and users be more aware of potential threats.

As these attacks continue, cryptocurrency exchanges and platforms are working to improve their security measures. However, the Lazarus Group’s techniques keep evolving, creating an ongoing challenge for the crypto industry.