North Korea’s Lazarus Group Strikes Again With $3.2 Million Scam

North Korea-linked hackers are ramping up attacks on the cryptocurrency sector, with recent investigations pointing to the Lazarus Group’s evolving methods.

On-chain analyst ZachXBT has revealed a string of incidents tied to the regime’s cyber operations. These incidents include the use of fake developer profiles and complex laundering strategies.

Lazarus Hackers Steal Millions as North Korea Intensifies Crypto Attacks

On June 29, Zachxbt reported that the Lazarus Group scammed a user out of $3.2 million in digital assets on May 16.

The stolen funds were quickly converted from Solana to Ethereum. The hacker then deposited 800 ETH into Tornado Cash, a privacy protocol that obscures cryptocurrency transactions.

North Korea Attackers Transaction Map. Source: ZachXBT

At the time of reporting, an estimated $1.25 million remains in an Ethereum wallet holding DAI and ETH.

Meanwhile, this attack is just one in a series of activities by the Lazarus Group, which increasingly targets high-value crypto assets.

On June 27, ZachXBT linked the group to a significant exploit affecting multiple NFT projects associated with Matt Furie, the creator of Pepe. The attack also impacted projects like ChainSaw and Favrr.

1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolenMy analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers.

— ZachXBT (@zachxbt) June 27, 2025

This series of attacks, which began on June 18, allowed the hackers to take control of several NFT contracts. They then minted and dumped NFTs, stealing an estimated $1 million from these projects.

ZachXBT’s investigation revealed that the hackers moved the stolen funds across three wallets. Eventually, they converted some of the ETH into stablecoins and transferred them to MEXC, a centralized exchange.

Meanwhile, the pattern of stablecoin transfers, tied to a specific MEXC deposit address, suggests that the attackers engaged in multiple crypto projects.

Moreover, the analysis uncovered links to GitHub accounts with Korean language settings and time zones consistent with North Korean activity.

“Other indicators revealed from internal logs point out irregularities in a suspected DPRK IT workers resume. Why would a developer who claims to be living in the US have a Korean language setting, Astral VPN usage, and have an Asia/Russia time zone?,” ZachXBT wondered.

In Favrr’s case, investigators suspect the project’s chief technology officer, Alex Hong, of being a North Korean IT worker. ZachXBT also reported that Hong’s LinkedIn profile was recently deleted, and his work history could not be verified.

Indeed, these incidents highlight North Korea’s ongoing role in cryptocurrency theft. Blockchain analysis firm TRM Labs recently linked the country’s hackers to nearly $1.6 billion in stolen funds, accounting for about 70% of all stolen crypto assets this year.