In yet another bold move by cybercriminals, blockchain sleuth ZachXBT has tracked the infamous Lazarus Group, tied to North Korea, laundering nearly $2 million in stolen Ethereum through the Tornado Cash crypto mixer.
Hack Traced Back to May Solana Exploit
The laundering activity follows a May 16, 2025 hack where attackers drained around $3.2 million from multiple Solana wallets. After swiftly offloading the stolen assets on the market, the perpetrators bridged the funds to Ethereum—a common tactic used to blur the transaction trail across blockchains.
On June 25 and 27, the group deposited a total of 800 ETH, worth approximately $1.95 million, into Tornado Cash in two separate 400 ETH batches, as reported by ZachXBT on his Telegram channel.
$1.25M Still Sitting in Hacker Wallet
Despite the movement of ETH through the mixer, about $1.25 million in DAI and ETH remains untouched in the address tagged “0xa5f.” The Solana address involved in the theft has been identified as “C4WY1.” Blockchain analysts believe this remaining crypto stash could be moved next—or held for later laundering.
Lazarus Group’s Long Crypto Trail
The Lazarus Group is widely recognized as a state-sponsored cybercrime unit operated by North Korea, known for executing complex crypto-related heists to fund the country’s military and weapons programs. Since 2018, the group has stolen billions in digital assets via phishing, ransomware, and exchange breaches, drawing global scrutiny and U.S. Treasury sanctions.
Tornado Cash Remains a Key Tool for Crypto Laundering
Tornado Cash—a decentralized privacy tool on Ethereum—remains controversial. While some users praise its privacy features, bad actors continue to use it to mask illicit funds, complicating efforts for law enforcement and blockchain investigators to trace stolen assets.
With regulators and watchdogs keeping a close eye, the remaining funds and future laundering moves by Lazarus are expected to remain under active surveillance by analysts like ZachXBT.
Conclusion
As blockchain forensics improve, so do the tactics used by cybercriminals. The Lazarus Group’s use of cross-chain bridging and mixing services like Tornado Cash underscores the urgent need for advanced security protocols and international cooperation to combat crypto-financed cyber threats.
