Lazarus Group Linked To $750,000 Ethereum Laundering

The Lazarus Group, a North Korean-affiliated hacking collective, has escalated its cyber activities with two new high-profile incidents.

On March 13, blockchain security firm CertiK reported that the group deposited 400 Ethereum (ETH), worth around $750,000, into the Tornado Cash mixing service, a tool used to obscure the origin of crypto assets.

#CertiKInsight 🚨

We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.

The fund traces to the Lazarus group’s activity on the Bitcoin network.

Stay Vigilant! pic.twitter.com/IHwFwt5uQs

— CertiK Alert (@CertiKAlert) March 13, 2025

This move was linked to their previous activity on the Bitcoin network, underscoring the group’s ongoing efforts to launder funds following high-profile hacks.

The Lazarus Group is notorious for its involvement in major cryptocurrency thefts, including the $1.4 billion hack of Bybit in February 2025 and the $29 million Phemex hack in January, as noted by CoinTelegraph.

According to blockchain analytics firm Chainalysis, Lazarus has stolen over $1.3 billion in crypto assets in 2024 alone, more than doubling their 2023 thefts.

Meanwhile, cybersecurity researchers at Socket have uncovered a new wave of malicious packages targeting the npm ecosystem, used by developers to manage JavaScript libraries.

The six malicious packages, downloaded over 330 times, were found to be embedded with a form of malware known as BeaverTail. These packages mimic legitimate libraries in a deceptive tactic called typosquatting, where slight variations in names are used to trick developers into installing harmful code.

Socket’s researchers observed that the tactics, techniques, and procedures in this npm attack closely align with Lazarus’s known operations. The packages were designed to steal sensitive information, including credentials and cryptocurrency data, while also deploying backdoors into affected systems.

Specifically, they targeted files in browsers like Chrome, Brave, and Firefox, and keychain data on macOS, focusing on developers who may not notice the malware during installation.

This attack highlights Lazarus’s continued use of sophisticated infiltration methods, leveraging trusted names in the npm registry to exploit the open-source community. Despite the obfuscation techniques used, researchers were able to detect the malicious intent and flagged the packages for removal.

As Lazarus continues its cybercriminal activities, experts warn that organizations must adopt stricter security measures, such as automated auditing of code and dependency scans, to prevent similar attacks.