North Korean Cybercriminals, Identified as Lazarus Group, Involved in Recent $3.2 Million Cryptocurrency Theft
In a recent cybercrime incident, the North Korea-linked Lazarus Group is alleged to have stolen $3.2 million worth of digital assets from Solana wallets on May 16, 2025. This operation saw the swift sale of the stolen tokens on-chain and their transfer to the Ethereum network for laundering purposes.
The stolen assets were then transferred from Solana to Ethereum through a cross-chain bridge. Approximately 400 ETH (around $1.6 million) were subsequently sent in two separate deposits on June 25 and June 27, 2025, into Tornado Cash, a decentralized cryptocurrency mixer service widely used for obscuring transaction trails.
This laundering method is consistent with Lazarus Group’s previously observed tactics, which involve Tornado Cash, decentralized exchanges, and blockchain bridges to obfuscate stolen funds. About $1.25 million in DAI and ETH remain in an Ethereum wallet, possibly held dormant to evade detection or prepared for further laundering.
Tornado Cash, despite U.S. sanctions imposed in 2022, has remained operational due to an appeals court ruling in early 2025 that reversed those sanctions on free speech grounds. This development has enabled Lazarus and similar groups to continue exploiting Tornado Cash for laundering.
The Lazarus Group’s use of Tornado Cash and cross-chain bridges like the Solana-Ethereum bridge highlights the challenges international law enforcement faces in tracking and recovering stolen crypto assets. Previous hacks allegedly linked to them include the $1.5 billion ETH hack on Bybit in February 2025 and the $100 million theft from Harmony’s Horizon bridge in 2022, both involving elaborate laundering schemes.
Industry experts call for stronger on-chain monitoring and international collaboration to counter the Lazarus Group's illicit activities. Blockchain researchers and analysts have been actively tracking these movements to identify laundering patterns. However, the effectiveness is limited due to the decentralized and privacy-focused nature of these technologies.
The sophistication of Lazarus’ operations underscores the need for cross-border cooperation between crypto analytics firms, law enforcement agencies, and regulatory bodies worldwide. Enhanced tracking tools against mixers like Tornado Cash are under development, but their effectiveness remains to be seen. Legal proceedings surrounding Tornado Cash’s founders and regulatory discourse are ongoing, which could influence future law enforcement capabilities to combat such laundering activities on Ethereum and related platforms.
In summary, the Lazarus Group’s alleged $3.2 million Solana hack and laundering through Tornado Cash and Ethereum bridges constitute a significant case demonstrating the persistent threat of state-linked cybercrime syndicates exploiting decentralized finance (DeFi) infrastructure. It also exemplifies the critical importance of international collaboration and technological advancements in blockchain forensics to counteract such sophisticated illicit operations.
- The stolen Solana tokens, worth $3.2 million, were transferred to the Ethereum network via a cross-chain bridge for laundering purposes, using Tornado Cash, a decentralized cryptocurrency mixer service.
- The Lazarus Group's illicit activities, such as the recent Solana hack, involve the use of Tornado Cash, decentralized exchanges, and blockchain bridges to obfuscate stolen funds, as demonstrated in previous hacks like the $1.5 billion ETH hack on Bybit and the $100 million theft from Harmony’s Horizon bridge.
- Industry experts advocate for stronger on-chain monitoring, international collaboration, and technological advancements in blockchain forensics to combat the Lazarus Group's sophisticated laundering activities on Ethereum and related platforms, as the challenges faced by international law enforcement in tracking and recovering stolen crypto assets are significant.
