A hacking group linked to North Korea, known as the Lazarus Group, has been actively transferring cryptocurrency assets through mixers following a series of notable hacks.
On March 13, a blockchain security company notified its followers on X about the detection of a deposit of 400 ETH, valued at approximately $750,000, into the Tornado Cash mixing platform.
“This fund is connected to the Lazarus group’s activities on the Bitcoin network,” they stated.
This North Korean hacking collective is behind the significant breach of the Bybit exchange that led to the loss of $1.4 billion in crypto assets on February 21.
Additionally, they have been associated with the hack of the Phemex exchange in January, where $29 million was stolen, and have been laundering funds ever since.
Movements of Lazarus Group crypto assets.
Lazarus has also been implicated in some of the most infamous crypto hacking events, such as the $600 million hack of the Ronin network in 2022.
In total, North Korean hackers pilfered over $1.3 billion in cryptocurrency across 47 incidents in 2024, significantly surpassing the amounts stolen in 2023, as reported by recent data.
New Malware from Lazarus Uncovered
Researchers from a cybersecurity firm have found that Lazarus Group has introduced six new malicious packages designed to infiltrate development environments, pilfer credentials, extract cryptocurrency information, and install backdoors.
The group has focused its efforts on the Node Package Manager (NPM) ecosystem, a repository of numerous JavaScript packages and libraries.
Among the discoveries was malware dubbed “BeaverTail,” embedded within packages that imitate genuine libraries through typosquatting techniques meant to mislead developers.
“These packages use names that closely resemble those of established and trusted libraries,” the researchers noted.
Related: An Insight into the Money Laundering Tactics of Lazarus Group
The malware specifically targets cryptocurrency wallets, including Solana and Exodus wallets, they further elaborated.
Example of code involved in Solana wallet attacks.
The attack is aimed at files within Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, especially focusing on developers who may unintentionally install the harmful packages.
While definitively linking this attack to Lazarus is complex, researchers emphasized that “the tactics, techniques, and procedures observed in this npm attack closely align with those known to be used by Lazarus.”
Magazine: Inside the Enigmatic Memecoin Scam Factory and the Bitcoin Liquidation by a HK Firm: Asia Express