Lazarus Group Hackers Transfer 400 ETH to Tornado Cash

Experts at CertiK have detected a transfer of 400 ETH (~$752,000) to the crypto mixer Tornado Cash. It is believed that the funds were moved by hackers from the Lazarus Group.

#CertiKInsight ?

We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from:
0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901
0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848.

The fund traces to the Lazarus group’s activity on the Bitcoin network.

Stay Vigilant! pic.twitter.com/IHwFwt5uQs

— CertiK Alert (@CertiKAlert) March 13, 2025

The initial address received funds through the THORChain protocol, which the North Korean-linked group actively used in laundering schemes for funds stolen from Bybit.

CertiK noted that they are “monitoring Lazarus’s activity on the Bitcoin network.”

In early March, Bybit CEO Ben Zhou reported that 20% of the stolen assets, amounting to ~$1.46 million, had already “disappeared into the shadows.” Only 3% had been frozen at that time.

North Korean hackers are also linked to the January hack of the Phemex exchange, which resulted in losses exceeding $70 million.

In August 2022, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) added Tornado Cash to its sanctions list. According to the agency, criminals laundered over $7 billion in cryptocurrency through the service, with more than $455 million linked to Lazarus’s activities.

In January 2025, the U.S. Fifth Circuit Court of Appeals overturned the sanctions against Tornado Cash. Prior to this, the panel of judges ruled that OFAC had overstepped its authority.

In February, co-founder of the service Alexey Pertsev was released. Under electronic monitoring, the developer will continue to challenge the May 2024 conviction in the Netherlands—64 months in prison for laundering $1.2 billion.