Recently, cybersecurity threats targeting the cryptocurrency industry have intensified, with reports of sophisticated hacking attempts linked to North Korean cybercriminals. Blockchain security firms and industry experts have identified new tactics used by the notorious Lazarus Group, including laundering stolen assets through crypto mixers and deploying malware disguised as software updates. At the same time, multiple crypto founders have reported being targeted by phishing scams involving fake Zoom calls designed to install malware on their devices.
North Korean Lazarus Group Moves Stolen Crypto Using Mixers Amid Fresh Malware Threats
The notorious North Korean-affiliated hacking collective, the Lazarus Group, has once again made headlines for its illicit activities in the cryptocurrency space. The group, known for orchestrating high-profile cyber heists, has recently been observed laundering stolen digital assets through crypto mixers, further complicating efforts by authorities and blockchain analysts to track and recover funds.
On March 13, blockchain security firm CertiK reported that it had detected a suspicious deposit of 400 ETH, valued at approximately $750,000, into Tornado Cash, a well-known cryptocurrency mixing service. The transaction was flagged as originating from the Lazarus Group’s activity on the Bitcoin network, reinforcing concerns about the organization’s continued use of obfuscation tactics to cover its tracks.
Tornado Cash has been a focal point of controversy in the crypto industry due to its role in enabling anonymous transactions. The platform allows users to deposit and withdraw funds in a manner that severs the transaction history, making it difficult for authorities and blockchain forensic firms to trace illicit funds.
The Lazarus Group has been behind some of the most devastating cyberattacks in the crypto sector. In February 2024, the group carried out a massive breach on the Bybit exchange, stealing an estimated $1.4 billion worth of crypto assets. This was followed by an attack on the Phemex exchange in January, which resulted in the theft of $29 million.
Beyond exchange hacks, Lazarus has a history of targeting blockchain networks and DeFi platforms. One of the group’s most infamous exploits was the $600 million Ronin network hack in 2022, which remains one of the largest cryptocurrency thefts in history.
According to blockchain analytics firm Chainalysis, North Korean hackers stole over $1.3 billion worth of cryptocurrency in 47 separate incidents in 2024 alone. This figure more than doubles the total amount stolen in 2023, demonstrating the group’s increasing sophistication and aggressive expansion of its cyber warfare tactics.
In addition to its financial exploits, the Lazarus Group has been found deploying new forms of malware to infiltrate developer environments and steal sensitive data. Cybersecurity researchers at Socket recently uncovered six new malicious packages designed to compromise software development tools and gain access to crypto wallets.
These attacks specifically target the Node Package Manager (NPM) ecosystem, which is widely used by developers to integrate JavaScript libraries into their applications. Researchers found a strain of malware named "BeaverTail," embedded within seemingly legitimate libraries that Lazarus has weaponized using typosquatting techniques—creating packages with names similar to trusted repositories in an attempt to trick developers into downloading them.
Once installed, these malicious packages execute a range of functions, including:
Extracting cryptocurrency wallet credentials
Installing backdoors for remote access
Harvesting sensitive browser data from Google Chrome, Brave, and Firefox
Targeting keychain data on macOS systems
The malware has been specifically designed to steal funds from Solana and Exodus wallets, two widely used crypto storage solutions. By compromising development environments, Lazarus can potentially access a range of applications, allowing them to escalate their attacks and compromise broader systems.
Lazarus Group's Evolving Tactics
Lazarus continues to refine its methods to evade detection. Its shift toward laundering funds through mixers like Tornado Cash shows its adaptability, while the expansion of its malware campaigns into software development ecosystems shows an alarming evolution in its strategy.
Authorities worldwide are intensifying efforts to counter Lazarus and other state-sponsored hacking groups, but the decentralized and pseudonymous nature of blockchain technology presents significant challenges. The US Treasury Department has previously sanctioned Tornado Cash for its role in enabling money laundering, yet hackers continue to exploit similar services.
As cryptocurrency adoption grows, so too does the threat posed by groups like Lazarus. The latest developments show the urgent need for robust security practices among exchanges, developers, and individual users. Organizations involved in crypto trading and blockchain development must prioritize security measures such as multi-factor authentication, thorough vetting of third-party software, and real-time transaction monitoring to detect and prevent unauthorized access.
While blockchain analysis firms like CertiK and Chainalysis continue to track illicit fund movements, the battle against cybercrime remains a game of cat and mouse. Governments and industry leaders must work together to develop more effective countermeasures, ensuring that digital assets remain secure from malicious actors.
North Korean Hackers Target Crypto Founders with Fake Zoom Calls in New Social Engineering Scam
In related news, a new cyber threat has emerged in the cryptocurrency space as North Korean hackers reportedly attempt to infiltrate and steal sensitive data from prominent crypto founders using deceptive Zoom calls. Over the past few days, at least three crypto executives have reported encounters with this sophisticated phishing scheme, in which hackers pose as venture capitalists or potential business partners to trick their victims into installing malware.
Nick Bax, a cybersecurity expert and member of the white hat hacker group Security Alliance, detailed the elaborate scam in a March 11 post on X. According to Bax, the hackers’ modus operandi involves reaching out to their targets with offers of high-profile meetings or partnership opportunities. Once the call begins, they claim to have audio issues while displaying a pre-recorded stock video of a venture capitalist looking disinterested. Shortly thereafter, they send a new link under the guise of resolving the technical issues.
However, this alternative link is a trap. "It’s a fake link and instructs the target to install a patch to fix their audio/video," Bax explained. The hackers exploit human psychology, leveraging the urgency and excitement surrounding business meetings with prominent investors. By making victims believe they are in a critical negotiation, they increase the likelihood of bypassing their usual cybersecurity precautions. "Once you install the patch, you’re rekt," Bax warned, indicating that the malware effectively compromises the victim’s system upon installation.
Following Bax’s post, multiple crypto founders came forward to share their own experiences with the scam.
Giulio Xiloyannis, co-founder of blockchain gaming company Mon Protocol, revealed that both he and his head of marketing were targeted with a similar phishing attempt. He described how the scammers orchestrated a supposed business meeting centered around a partnership opportunity. However, at the last moment, they insisted he switch to a different Zoom link, citing audio issues.
Xiloyannis became suspicious when he noticed names from unrelated companies appearing on the call. "The moment I saw a Gumicryptos partner speaking and a Superstate one, I realized something was off," he noted, ultimately avoiding the malware trap.
David Zhang, co-founder of the US venture-backed stablecoin company Stably, also reported being targeted by the scam. However, unlike other cases, the hackers initially used Zhang’s own Google Meet link before abruptly claiming they needed to switch to an internal meeting.
Zhang, who joined the call via tablet, suspects the hackers' malware was designed to detect the target's operating system before deploying its malicious payload. "The site acted like a normal Zoom call. I took the call on my tablet, though, so I’m not sure what the behavior would’ve been on desktop," he said. It is likely that had he used a PC or Mac, he would have been prompted to install malware disguised as an update or fix.
Melbin Thomas, founder of Devdock AI, a decentralized AI platform for Web3 projects, recounted his own harrowing experience with the scam. Thomas admitted to nearly falling for the trap, having gone as far as initiating the installation process before realizing something was amiss.
The Lazarus Group Connection
The rise in phishing attempts targeting crypto founders coincides with heightened activity from North Korea’s most notorious cybercrime syndicate—the Lazarus Group. The US, Japan, and South Korea issued a joint cybersecurity warning on Jan. 14, flagging the increasing threat posed by North Korean-affiliated hackers in the crypto space.
With the increasing prevalence of cyber threats targeting crypto executives, it is crucial to implement best practices for cybersecurity. Here are a few key measures to avoid falling victim to similar scams:
Verify Video Call Invitations: Always double-check the sender’s details before accepting any call invitations, especially those requesting last-minute changes.
Avoid Downloading Unknown Software: Never install updates, patches, or fixes from external links during a video call.
Use a Separate Device for Sensitive Meetings: Consider taking meetings on a secondary, non-critical device, such as a tablet, which may be less vulnerable to targeted malware.
Enable Multi-Factor Authentication (MFA): Strengthen your accounts with MFA to prevent unauthorized access.
Consult a Security Expert if Suspicious: If you suspect you have been targeted or compromised, consult a cybersecurity professional before reconnecting any potentially infected devices.
