Imagine a thief who doesn’t just hide stolen cash in a safe but shuffles it through dozens of different banks, currencies, and countries in seconds. That is exactly what the Lazarus Group, the primary cyber warfare unit of the Democratic People's Republic of Korea (DPRK), has been doing with cryptocurrency. For years, sanctions have tried to choke off North Korea’s funding for its weapons programs. But instead of stopping, these state-sponsored hackers have evolved. They are now using complex cross-chain techniques to launder billions of dollars, turning the very transparency of blockchain into a fog of war that makes tracking nearly impossible.
This isn't just about lost money; it is a direct threat to global security. When you understand how these hackers move funds across different blockchains, you see why traditional restrictions are failing. The shift from simple mixing services to sophisticated cross-chain bridges represents a massive leap in financial obfuscation. If you are an investor, a compliance officer, or just someone concerned about the stability of the digital asset ecosystem, understanding this evolution is critical. Here is how DPRK hackers are bypassing restrictions and what it means for the future of crypto security.
The Shift from Mixers to Cross-Chains
To understand the current threat, we first need to look at what changed. In the past, North Korean hackers relied heavily on privacy coins and centralized mixing services like Tornado Cash or Wasabi Wallet. These tools worked by pooling funds together and sending them out in a scrambled order, breaking the link between the sender and the receiver. However, as regulatory pressure mounted and entities like Tornado Cash were sanctioned, this method became risky and slow.
Around 2022 and 2023, the strategy shifted dramatically. The Lazarus Group began exploiting cross-chain bridges, which are protocols that allow assets to move between different blockchain networks. Instead of hiding money in one place, they started hopping between chains. Data from Elliptic shows that the Lazarus Group drove an 111% surge in funds processed through these conversion services. By moving stolen Ethereum to Bitcoin, or Tron tokens to Binance Smart Chain, they create a trail that is fragmented across multiple ledgers. This fragmentation forces investigators to piece together puzzles from several different databases, buying the hackers valuable time.
Anatomy of a Modern Heist: The Bybit Case Study
The scale of this operation became undeniable with the Bybit heist in February 2025. Attributed to TraderTraitor, a subunit of the DPRK’s Reconnaissance General Bureau (RGB), this single attack stole over $1.5 billion, making it the largest crypto theft in history. What made this incident particularly revealing was not just the amount, but the method used to launder the proceeds.
Following the breach, investigators traced a chaotic web of transactions. The stolen Ethereum was not simply moved to a cold wallet. Instead, it underwent multiple rounds of swapping. Portions were routed through Binance Smart Chain and Solana, while the majority was converted directly into Bitcoin. TRM Labs identified specific bridges like the Avalanche Bridge and Ren Bridge being used extensively. In one instance, more than 9,500 BTC were deposited through the Avalanche Bridge alone. This rapid movement across Bitcoin, Ethereum, BitTorrent Chain (BTTC), and Tron networks demonstrates a high degree of automation and pre-planning.
| Year | Total Stolen (USD) | Number of Incidents | Primary Target Type |
|---|---|---|---|
| 2023 | $660.5 Million | 20 | Centralized Exchanges |
| 2024 | $1.34 Billion | 47 | Exchanges & DeFi Protocols |
| 2025 | Over $2 Billion | N/A (Escalating) | Exchanges & High-Net-Worth Individuals |
The "Flood the Zone" Technique
One of the most effective tactics employed by these hackers is known as "flooding the zone." Nick Carlsen, a North Korea expert at TRM Labs, describes this as overwhelming compliance teams and law enforcement with sheer volume. Instead of making a few large, suspicious transfers, the hackers execute thousands of small, rapid transactions across multiple platforms simultaneously.
This technique exploits the limitations of human review processes. Automated systems might flag some transactions, but the speed and complexity of cross-chain swaps mean that by the time an alert is raised, the funds have already moved three or four times. The goal is not just anonymity but confusion. By creating noise, they make it statistically difficult to distinguish illicit flows from legitimate market activity. This approach requires significant computational power and automated software, highlighting the industrial nature of these operations.
Why Restrictions Are Failing
You might wonder why existing sanctions haven’t stopped this bleeding. The answer lies in the decentralized nature of the tools being used. Traditional banking restrictions rely on cutting off access to the SWIFT network or freezing accounts at regulated institutions. In the crypto world, especially when using decentralized exchanges (DEXs) and non-custodial bridges, there is no central authority to enforce these blocks.
Furthermore, the use of "obscure blockchains" complicates matters. Many smaller or newer chains lack the robust analytics coverage provided by firms like Chainalysis or TRM Labs. Hackers exploit these blind spots, moving funds to chains where tracking capabilities are diminished before bringing them back to major networks. Additionally, the creation of custom tokens issued directly by laundering networks allows them to trade among themselves without ever touching a public ledger in a recognizable way. This adaptability means that every time regulators close one door, the Lazarus Group finds a window.
The Human Element: A New Attack Vector
While the technical side of cross-chain laundering is impressive, the entry point for many recent attacks has become surprisingly low-tech. Elliptic notes that the weak point in cryptocurrency security is now human, not technological. In 2025, there was a marked pivot toward targeting individuals, particularly high-net-worth holders and company executives.
Instead of trying to hack a secure exchange server, hackers use phishing, fake job offers, and compromised social media accounts to steal private keys. Once they have access to a wallet, the cross-chain machinery kicks in. This shift broadens the attack surface significantly. It means that even if you never interact with a vulnerable exchange, you could still be part of the laundering chain if your credentials are compromised. The sophistication of the laundering process is now matched by the sophistication of the social engineering used to initiate the theft.
The Arms Race: Tracking vs. Hiding
In response to these evolving threats, the blockchain intelligence community has upgraded its tools. TRM Labs introduced cross-chain analytics in 2019 and later launched TRM Phoenix, a solution designed to automatically trace fund flows across bridges. These tools attempt to visualize the entire journey of an asset, regardless of how many chains it hops across.
However, this is an ongoing arms race. As trackers get better, hackers get smarter. The recent use of "refund addresses" to redirect assets to fresh wallets breaks the chain of custody in ways that challenge even advanced algorithms. Moreover, much of the stolen Bitcoin remains stationary after conversion, suggesting that hackers are preparing for large-scale liquidation through over-the-counter (OTC) networks rather than immediate on-chain trading. This patience indicates a long-term strategy focused on eventual fiat conversion outside the visible blockchain layer.
Global Security Implications
The stakes here extend far beyond the crypto industry. A UN report highlighted that the DPRK’s weapons program is largely funded by these cyber operations. With approximately 50% of the regime’s foreign-currency earnings coming from cybercrime, every dollar laundered contributes to nuclear proliferation and missile development. The Wilson Center emphasizes that this is a matter of global security. The progressive escalation from $660 million in 2023 to over $2 billion in 2025 shows that this revenue stream is not just stable; it is growing exponentially.
If left unchecked, this trend normalizes the use of digital assets for state-sponsored terrorism and destabilization. It undermines the integrity of the global financial system and challenges the effectiveness of international sanctions. The ability of a rogue state to extract billions from the global economy without facing physical consequences sets a dangerous precedent for other actors.
What is cross-chain crypto laundering?
Cross-chain crypto laundering is a technique where stolen cryptocurrency is moved across multiple different blockchain networks (like Ethereum, Bitcoin, and Tron) using bridge protocols. This fragmentation makes it difficult for investigators to trace the origin and destination of the funds, as they must analyze data from several separate ledgers.
Who are the Lazarus Group hackers?
The Lazarus Group is a collective name for various cyber warfare units operated by the Democratic People's Republic of Korea (DPRK). Specifically, they are linked to the 3rd Bureau of the Reconnaissance General Bureau (RGB). They are responsible for some of the largest cryptocurrency heists in history, including the Bybit attack in 2025.
Why did North Korean hackers stop using mixers like Tornado Cash?
Mixers faced increased regulatory scrutiny and sanctions, making them riskier and slower to use. Consequently, DPRK hackers shifted to cross-chain bridges, which offer faster transaction speeds and greater complexity, allowing them to evade detection more effectively in the current regulatory environment.
What is the "flood the zone" technique?
This is a tactic where hackers overwhelm compliance teams and blockchain analysts with a high volume of rapid, small transactions across multiple platforms. The goal is to create enough noise and confusion to delay detection and interdiction efforts while the funds are moved further down the laundering chain.
How does DPRK crypto theft impact global security?
Cybercrime provides a significant portion of the DPRK's foreign currency earnings, which are directly used to fund its nuclear weapons and missile programs. Therefore, successful crypto laundering by these hackers directly contributes to global instability and the proliferation of weapons of mass destruction.
Can blockchain analytics firms track cross-chain movements?
Yes, firms like TRM Labs and Chainalysis have developed specialized tools such as TRM Phoenix to trace funds across different blockchains. However, this is an ongoing arms race, as hackers continuously evolve their methods to exploit gaps in analytics coverage, particularly on obscure or lesser-known chains.
