North Korean hackers bridge $3.2 million of stolen funds

Crypto investigators are raising alarms after $3.2 million was drained from multiple Solana wallets on May 16, 2025, which they say bears the hallmarks of the North Korea-linked Lazarus Group. The stolen assets were swiftly sold on-chain and bridged over to Ethereum before some of it was laundered through Tornado Cash.

On May 16, the victim’s Solana addresses were emptied of tokens, and the assets were then converted to Ethereum via a bridge before part of it was deposited to Tornado Cash.

Blockchain researcher ZachXBT publicly flagged the exploit, drawing parallels with earlier Lazarus activity.

Hackers bridged the stolen funds

Blockchain sleuths first raised the alarm after observing large transfers from address “C4WY…e525” on Solana.

These transactions, linked to the notorious Lazarus Group, involved moving the stolen tokens through a bridge and converting them into Ethereum. ZachXBT flagged the attack by monitoring the bridge’s activity and tracing funds that ultimately ended up in a network of wallets on Ethereum.

On June 25 and again on June 27, 400 ETH was sent to Tornado Cash in two separate deposits. Those 800 ETH transactions, totaling roughly $1.6 million, align with Lazarus Group’s well-documented laundering tactics.

Following high-profile hacks like Bybit, where $1.5 billion was stolen in February 2025, and $100 million from Harmony’s Horizon bridge in 2022, among other notable hacks, Lazarus has repeatedly used Tornado Cash, along with decentralized exchanges and cross-chain bridges, to launder funds by obfuscating transaction trails.

Approximately $1.25 million still resides in a wallet address identified as “0xa5…d528” on Ethereum, held in a combination of DAI and ETH. Analysts speculate that these funds may either be parked for future laundering or be held intentionally dormant to mitigate detection risk.

Lazarus Group has been active since 2017

Lazarus Group has earned a reputation as the most prolific state-linked cybercrime organization, with North Korea sanctions designating them as an Advanced Persistent Threat tied to Pyongyang’s elite military intelligence units. Over the years, they have stolen billions in crypto since 2017.

Their modus operandi often starts with phishing or malware-based infiltration of key personnel, exploiting smart contract flaws or wallet vulnerabilities. Once funds are obtained, they are rapidly converted into liquid assets, broken into multiple wallets, and laundered across chains using mixers like Tornado Cash and services providing instant swaps without Know Your Customer (KYC) requirements.

Tornado Cash remains central to Lazarus’s laundering strategy. Although U.S. sanctions were imposed in 2022, decentralized hosting and immutability have allowed the service to evade permanent shutdown. In January 2025, a U.S. appeals court reversed those sanctions, citing free speech considerations, despite mounting evidence linking Lazarus to continued mixer use.

Regulators and exchanges may now take steps to mark the flagged addresses as suspicious. However, with the speed and complexity of Lazarus’s laundering pipeline, mixing services continue to prove sufficient in concealing the movement of their stolen funds.

Your crypto news deserves attention - KEY Difference Wire puts you on 250 top sites