Chainalysis: Law Enforcement Plays Whack-A-Mole With Lazarus

A Chainalysis report highlights the cat-and-mouse game between Lazarus Group and law enforcement in laundering illicit funds.

A red robot with North Korean decal and Kim Jong Un style hair being cough red handed in a digital space.
Created by Gabor Kovacs from DailyCoin
  • Lazarus Group‘s money laundering strategies continue to evolve.
  • Authorities are caught in a cat-and-mouse game with cybercriminals.
  • Lazarus Group’s hacking techniques have also evolved.

The notorious cybercriminal group Lazarus has orchestrated several brazen digital heists, including the 2014 attack on Sony and the 2022 Ronin Bridge hack. Key to Lazarus’s criminal operations is the ability to launder stolen funds while also evading the reach of law enforcement.  

However, with growing scrutiny around known money laundering processes, Chainalysis reported that the Lazarus Group has switched up its strategies to anonymize funds in 2023.   

Chainalysis Reports Evolving Money Laundering Strategies 

Lazarus Group used the Tornado Cash mixer to anonymize funds before the US Treasury sanctioned the service in August 2022. However, Chainalysis reported that the North Korean-affiliated hacker group switched to an alternative mixer service called Sinbad after Tornado Cash was no longer available.


Following the US Treasury sanctioning of Sinbad in November 2023, Lazarus Group has embraced the recently launched YoMix service as their mixer platform of choice. Chainalysis stated that around a third of YoMix’s inflows have come from wallets associated with the Lazarus Group.  

Mixers, also known as coin tumblers, collect inflows from users, merge the transactions, and re-distribute the funds to hinder the ability to trace the flow of funds across the chain.

In addition to using mixer services, cybercriminals such as the Lazarus Group also employ cross-chain bridges, also known as chain hopping, to obfuscate the flow of illicit funds. Chainalysis noted that the volume of illicit funds moving cross-chain had jumped to $744 million in 2023, representing a 128% increase from 2022’s $312 million value.


Documenting the flow of illicit funds from the June 2022 Harmony Horizon Bridge hack, Chainalysis revealed that stolen Bitcoin was moved to the Avalanche blockchain, swapped into a stablecoin, and bridged again onto TRON

The intricacy of bouncing the stolen Harmony funds across multiple blockchains mirrors the increasing sophistication Lazarus Group has developed over time.

Lazarus Group Grows Increasingly Sophisticated

The first recorded Lazarus Group cyber incident was a spate of relatively simple denial of service (DDoS) attacks against US and South Korean government websites in 2009, but the 2014 “Scorched Earth” hack of Sony demonstrated growing technical sophistication.

In subsequent years, strikes expanded to target banks, such as Vietnam’s Tien Phong Bank and the Bangladesh Central Bank. It was only a matter of time before the Lazarus Group would go after crypto firms. 

Forensic experts have tied Lazarus to some of the highest-profile crypto hacks in history, including the Atomic Wallet hack in June 2023, and the Ronin Bridge hack in March 2022, which involved socially engineering a Sky Mavis engineer through an elaborate fake interview into installing malware that compromised the network

On the Flipside

  • Chainalysis reported that laundered crypto funds fell to $22.2 billion in 2023 from $31.5 billion in 2022.
  • Lazarus Group is estimated to have stolen $3 billion from crypto firms over the past three years.

Why This Matters

Law enforcement will forever be playing a cat-and-mouse game with cybercriminals such as Lazarus. Effective solutions will require continued tracking of new tactics, cross-chain analysis, and global KYC standards, much to the annoyance of law-abiding crypto users caught in the crossfire.

Read more on newly identified Lazarus Group malware here:
New Lazarus Group Malware Threat Places Crypto On High Alert

Find out about MicroStrategy’s pivot to Bitcoin development here:
Saylor Clarifies MicroStrategy’s New Strategy- Becoming more BTC-Friendly

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Samuel Wan

Samuel Wan is a finance professional turned crypto journalist, known for his insightful reporting on market trends, regulatory changes, and technological developments within the digital asset industry. His ability to simplify complex concepts and report the facts has made him a trusted source in the crypto community. Beyond his writing, Samuel is an active mountain biker and gamer.