Lazarus Group Launders 400 ETH Through Tornado Cash, Deploys Malware Targeting Developers

YEREVAN (CoinChapter.com) — North Korean-affiliated hacking collective Lazarus Group continues laundering stolen cryptocurrency while expanding its malware operations. On March 13, blockchain security firm CertiK identified a 400 ETH ($750,000) deposit into Tornado Cash, a crypto mixer known for obscuring transaction histories.

CertiK linked the funds to Lazarus Group’s activities on the Bitcoin network. The group has been behind multiple high-profile exchange hacks, including the $1.4 billion Bybit hack on Feb. 21 and the $29 million Phemex breach in January.

These latest transfers add to Lazarus’s history of laundering stolen assets. In 2022, the group orchestrated the $600 million Ronin network hack, one of the largest DeFi exploits ever recorded. According to Chainalysis, North Korean hackers stole $1.3 billion in 2024 across 47 incidents, more than double the amount stolen in 2023.

New Lazarus Malware Targets Crypto Developers

Cybersecurity researchers at Socket detected six new malicious packages deployed by Lazarus Group. These packages infiltrate developer environments, steal credentials, extract cryptocurrency data, and install backdoors.

The malware mainly targets the Node Package Manager (NPM) ecosystem, which hosts JavaScript libraries widely used by developers. Researchers found a strain called “BeaverTail” embedded in packages that closely mimic legitimate software libraries.

“Across these packages, Lazarus uses names that closely mimic legitimate and widely trusted libraries,”

Socket researchers noted. The group uses typosquatting tactics to deceive developers into installing malware.

Lazarus Group’s Malware Targets Crypto Wallets

The new malware specifically attacks cryptocurrency wallets, including Solana and Exodus wallets. It also scans for sensitive files stored in Google Chrome, Brave, and Firefox browsers, aiming to extract private keys and credentials.

On macOS, the malware targets keychain data, posing a significant threat to developers who unknowingly install these compromised packages. The malicious code grants attackers access to encrypted credentials, allowing them to steal funds directly.

While researchers have not definitively attributed the attack to Lazarus Group, they noted that the methods used in this NPM attack closely align with Lazarus’s known operations.

Lazarus Group’s History of Crypto Crimes

Lazarus Group remains a dominant player in crypto-related cybercrime. The collective has been involved in some of the biggest hacks in history, focusing on crypto exchanges, DeFi platforms, and developer environments.

The group’s latest activity highlights an ongoing effort to both launder stolen assets and expand malware campaigns. Above all, this puts developers and crypto users at continued risk.