Lazarus Group Launders $750,000 via Tornado Cash, Deploys New Malware

Coin WorldThursday, Mar 13, 2025 1:57 am ET
2min read

The Lazarus Group, a notorious cybercriminal organization, has recently been identified as sending 400 ETH (Ethereum) to Tornado Cash, a cryptocurrency mixing service designed to obscure the trail of transactions. This move is part of a broader strategy that includes the deployment of new malware, highlighting the group's evolving tactics in cybercrime.

The Lazarus Group has been known for its sophisticated cyber-attacks, often targeting high-value assets and sensitive information. The transfer of 400 ETH to Tornado Cash suggests that the group is leveraging cryptocurrency mixing services to launder funds and evade detection. This is a significant development, as it indicates the group's increasing use of cryptocurrency to facilitate its illicit activities.

On March 13, blockchain security firm CertiK alerted its followers that it had detected a deposit of 400 ETH worth around $750,000 to the Tornado Cash mixing service. The fund traces to the Lazarus group’s activity on the Bitcoin network. The North Korean hacking group was responsible for the massive Bybit exchange hack that resulted in the theft of $1.4 billion worth of crypto assets on Feb. 21. It has also been linked to the $29 million Phemex exchange hack in January and has been laundering assets ever since.

In addition to the cryptocurrency transfer, the Lazarus Group has also deployed six new malicious packages. These packages are designed to infiltrate systems and steal valuable data. The deployment of new malware underscores the group's continuous efforts to enhance its capabilities and stay ahead of cybersecurity defenses. The new malware is part of a broader trend of cybercriminals adapting their tactics to exploit vulnerabilities in emerging technologies.

According to researchers at cybersecurity firm Socket, the Lazarus Group has deployed six new malicious packages to infiltrate developer environments, steal credentials, extract cryptocurrency data and install backdoors. It has targeted the Node Package Manager (NPM) ecosystem, which is a large collection of JavaScript packages and libraries. Researchers discovered malware called “BeaverTail” embedded in packages that mimic legitimate libraries using typosquatting tactics or methods used to deceive developers. The malware also targets cryptocurrency wallets, specifically Solana and Exodus wallets. The attack targets files in Google Chrome, Brave and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the malicious packages.

The use of Tornado Cash by the Lazarus Group raises concerns about the potential misuse of cryptocurrency mixing services. These services are designed to enhance privacy, but they can also be exploited by cybercriminals to launder funds and evade law enforcement. The transfer of 400 ETH to Tornado Cash highlights the need for increased scrutiny and regulation of cryptocurrency mixing services to prevent their misuse.

The deployment of new malware by the Lazarus Group is a reminder of the ongoing threat posed by cybercriminals. The group's use of sophisticated tactics and tools underscores the need for robust cybersecurity measures to protect against such threats. Organizations must remain vigilant and invest in advanced cybersecurity solutions to safeguard their systems and data from the evolving tactics of cybercriminals.