Lazarus Group Steals $3.2 Million from Solana Wallets

On May 16, 2025, a significant cyber heist occurred when $3.2 million was drained from multiple Solana wallets. The incident bore the hallmarks of the North Korea-linked Lazarus Group, a notorious cybercrime syndicate known for its sophisticated operations. The stolen assets were swiftly sold on-chain and bridged over to Ethereum before some of it was laundered through Tornado Cash, a decentralized mixer service.

The heist was first detected by blockchain researchers who observed large transfers from a specific Solana address. These transactions involved moving the stolen tokens through a bridge and converting them into Ethereum. The funds were then traced to a network of wallets on Ethereum, with 400 ETH sent to Tornado Cash in two separate deposits on June 25 and June 27. These transactions, totaling roughly $1.6 million, aligned with the Lazarus Group’s well-documented laundering tactics.

Following high-profile hacks, such as the Bybit heist where $1.5 billion was stolen in February 2025, and the $100 million theft from Harmony’s Horizon bridge in 2022, the Lazarus Group has repeatedly used Tornado Cash, along with decentralized exchanges and cross-chain bridges, to launder funds by obfuscating transaction trails. Approximately $1.25 million still resides in a wallet address on Ethereum, held in a combination of DAI and ETH. Analysts speculate that these funds may either be parked for future laundering or be held intentionally dormant to mitigate detection risk.

The Lazarus Group has been active since 2017 and has earned a reputation as the most prolific state-linked cybercrime organization. Over the years, they have stolen billions in crypto. Their modus operandi often starts with phishing or malware-based infiltration of key personnel, exploiting smart contract flaws or wallet vulnerabilities. Once funds are obtained, they are rapidly converted into liquid assets, broken into multiple wallets, and laundered across chains using mixers like Tornado Cash and services providing instant swaps without Know Your Customer (KYC) requirements.

Tornado Cash remains central to Lazarus’s laundering strategy. Although U.S. sanctions were imposed in 2022, decentralized hosting and immutability have allowed the service to evade permanent shutdown. In January 2025, a U.S. appeals court reversed those sanctions, citing free speech considerations, despite mounting evidence linking Lazarus to continued mixer use. Regulators and exchanges may now take steps to mark the flagged addresses as suspicious. However, with the speed and complexity of Lazarus’s laundering pipeline, mixing services continue to prove sufficient in concealing the movement of their stolen funds.

The incident highlights the ongoing threat posed by state-sponsored hackers to the cryptocurrency industry. The Lazarus Group's ability to execute such sophisticated heists underscores the need for enhanced security measures within the blockchain ecosystem. Cryptocurrency exchanges and wallet providers must implement robust security protocols to protect against similar attacks in the future. The use of advanced encryption, multi-factor authentication, and regular security audits can help mitigate the risk of cyber theft.

The heist also raises concerns about the vulnerability of decentralized finance (DeFi) platforms. DeFi platforms, which allow users to lend, borrow, and trade cryptocurrencies without intermediaries, are increasingly becoming targets for hackers. The lack of centralized control and regulation in the DeFi space makes it easier for cybercriminals to exploit vulnerabilities and steal funds. As the DeFi ecosystem continues to grow, it is crucial for developers and users to prioritize security and adopt best practices to safeguard their assets.

The incident serves as a reminder of the importance of vigilance and proactive measures in the cryptocurrency industry. Blockchain analysts and security experts play a critical role in detecting and preventing cyberattacks. Their efforts in monitoring suspicious activities and raising alerts can help mitigate the impact of such heists. The cryptocurrency community must continue to collaborate and share information to stay ahead of evolving threats and protect the integrity of the blockchain ecosystem.