The Lazarus Group, responsible for the $1.5 billion Bybit hack, now possesses 13,518 BTC valued at $1.13 billion, as per Arkham Intelligence. This positions North Korea as potentially the fifth-largest nation-state holder of this asset, trailing only the United States, China, the United Kingdom, and Ukraine, according to BitBO. The group’s holdings surpass those of Bhutan and El Salvador, which own 13,029 BTC and 6,089 BTC, respectively. Lazarus recently converted some of its stolen ETH into BTC, Arkham reports.
Arkham also indicates that wallets linked to Lazarus hold 13,702 ETH worth roughly $26 million, 5,022 BNB valued at $3 million, $2.2 million in DAI, and a variety of stablecoins and wrapped crypto assets. Crypto investor Kyle Chassé commented, “We grind and HODL just so that a hacker group can steal over $1B in crypto. It’s time for us to take the market back.”
Since 2017, North Korea-linked actors have stolen over $6 billion in crypto assets, with proceeds reportedly funding the country’s ballistic missile program, as Elliptic reported earlier this month. On March 13, 400 ETH, worth about $750,000 at the time, was deposited into the Tornado Cash mixing service, as detailed by blockchain security firm CertiK. The funds were traced back to the Lazarus group’s Bitcoin network activities.
Additionally, the Lazarus Group has deployed six new malware packages targeting developer environments to steal credentials and cryptocurrency data and install backdoors, according to recent research from cybersecurity firm Socket. The malware, dubbed “BeaverTail,” is embedded in packages mimicking legitimate JavaScript libraries and specifically targets cryptocurrency wallets like Solana and Exodus. Researchers noted the attack’s tactics align with known Lazarus operations.
In related developments, crypto exchange OKX suspended its Web3 decentralized exchange aggregator on March 17 due to a “coordinated effort by Lazarus group to misuse our DeFi services.” Following the Bybit hack, OKX introduced a hacker address detection system for its Web3 DEX aggregator, allowing real-time tracking and blocking of the attacker’s addresses. Last week, Bloomberg reported that the OKX DEX aggregator was used to launder $100 million in crypto linked to Lazarus and the hack.
BREAKING NEWS: North Korea’s Lazarus group has converted stolen ETH to BTC post-Bybit hack, now holding 13,562 BTC worth around $1.12B per data from @arkham.
