TLDR
- Lazarus Group deposited 400 ETH ($750,000) to Tornado Cash on March 13, 2025
- This notorious group of hackers from North Korea is now connected to the billion-dollar Bybit hack in February.
- They released six new malware packages known as 'BeaverTail' via NPM, meant to snag sensitive information from wallets and credentials.
- Specific browsers such as Chrome, Brave, and Firefox, including Solana and Exodus wallet data, are vulnerable to this malware.
- In the year 2024, North Korean cybercriminals managed to swipe over $1.3 billion in digital assets via 47 separate breaches, marking a significant increase from the previous year's figures.
On March 13, 2025, the cryptocurrency mixing service Tornado Cash received 400 Ethereum worth about $750,000 from the notorious Lazarus Group. CertiK, a blockchain security firm, discovered this transaction and linked it to Bitcoin network activities.
We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.The financial trail leads back to the Lazarus Group's engagements on the Bitcoin network.
Stay Vigilant! pic.twitter.com/IHwFwt5uQs
— CertiK Alert (@CertiKAlert) March 13, 2025
The Lazarus Group, well-known for its significant cryptocurrency heists, is tied to the $1.4 billion heist at Bybit in February 2025 and another $29 million theft at Phemex in January.
After the Bybit hack, The hackers employ diverse tactics to obscure the stolen crypto, including utilizing decentralized exchanges like THORChain, which forgo identity verification. They reportedly moved close to $2.91 billion through THORChain within a span of five days.
Their approach significantly complicates efforts by authorities to trace and reclaim the pilfered digital funds. The group's expertise in using mixing services and other laundering techniques fosters significant challenges.
Launching a fresh malware offensive, the hacking collective unleashed six harmful packages on March 11—the security firm Socket verified their release on the NPM platform.
NPM, a commonplace tool for developers managing JavaScript projects, became the unwitting host for sneaky malware like 'BeaverTail,' designed to pilfer credentials and crypto wallet data.
Typosquatting
These hackers resort to typosquatting by creating subtle variations of legitimate software names to trick developers into downloading their harmful counterparts.
The targeted malware actively seeks stored credentials in the Chrome, Brave, and Firefox browsers, alongside Solana and Exodus wallet data.
Although establishing a definite link is challenging, the tactics utilized in this npm attack correlate closely with those typical to Lazarus operations, as per Socket researchers.
Fake Zoom Calls
The North Korean hackers also attempt to deceive crypto entrepreneurs with fraudulent Zoom calls, posing as venture capitalists with misleading meeting links, leading to a supposedly necessary fix that is in truth malware.
Security experts have highlighted instances where cryptocurrency founders have fallen prey to such schemes, showcasing the group's adaptability in targeting individuals within this sector.
Historically, the Lazarus Group has been linked to major cryptocurrency thefts, including the notable $600 million Ronin network breach in 2022.
According to data from Chainalysis In 2024, hackers from North Korea made away with over $1.3 billion in the crypto market through 47 distinct attacks, more than doubling the figure from 2023.
With hacking events proliferating in number and scope, cybersecurity specialists caution that North Korean cyber efforts continue expanding, refining their asset-stealing and laundering strategies.
Security companies, like CertiK, remain vigilant in tracking blockchain transactions to flag and report any suspicious signs, aiding exchanges and users in threat awareness.
As these cyber assaults persist, cryptocurrency exchanges and platforms strive to bolster protective measures, though keeping up with the ever-advancing tactics of the Lazarus Group remains a formidable endeavor.
