Lazarus Group Deposits 400 ETH to Tornado Cash, Targets Crypto Vets on Zoom
On March 13, 2025, the cryptocurrency world was rocked by two significant security incidents involving the Lazarus Group and related hacking activities. The first involved the Lazarus Group, a North Korean state-sponsored hacking collective, depositing 400 ETH (approximately $750,000) to Tornado Cash, a decentralized privacy tool, as reported by blockchain security firm CertiK CoinTelegraph. The second incident highlighted a growing trend of hackers, possibly including the Lazarus Group, targeting crypto veterans through fake Zoom meeting links, with reports of significant financial losses since November 2024 Bitcoinist.
The Lazarus Group, also known as APT38, has been active since at least 2009, with a notorious history of cyberattacks, including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist Trend Micro. Their focus has increasingly shifted to cryptocurrency, with recent exploits including the $1.4 billion Bybit exchange hack on February 21, 2025, and the $29 million Phemex exchange hack in January 2025 CryptoNews. These attacks are believed to fund North Korea’s nuclear program, with the group using various methods to launder stolen funds, including mixers like Tornado Cash.
Tornado Cash, launched in 2019, is a non-custodial privacy solution on the Ethereum blockchain that breaks the on-chain link between sender and recipient addresses using zero-knowledge proofs CoinGecko. It has been sanctioned by the US Treasury since August 2022 for allegedly laundering over $7 billion, including $455 million stolen by the Lazarus Group in 2022 Merkle Science. Despite this, it remains a tool for hackers to obscure transaction trails.
Details of the Deposit to Tornado Cash
On March 13, 2025, CertiK alerted its X followers about the deposit of 400 ETH to Tornado Cash, tracing the funds back to the Lazarus Group’s activity on the Bitcoin network CoinTelegraph. This deposit, worth around $750,000 at current prices, is part of their strategy to launder funds from recent hacks. The Lazarus Group has been linked to over $1.3 billion in crypto thefts in 47 incidents in 2024, more than doubling the previous year’s figures, according to Chainalysis data TradingView. Their use of Tornado Cash aligns with their history of using mixers to conceal stolen assets, making recovery efforts more challenging.
Zoom Scams Targeting Crypto Veterans
Concurrently, a sophisticated phishing scam targeting cryptocurrency users has been uncovered, exploiting fake Zoom meeting links to distribute malware and steal assets CryptoNews. Blockchain security firm SlowMist reported on December 27, 2024, that hackers used a phishing domain mimicking Zoom’s interface, “app[.]us4zoom[.]us,” to trick victims into downloading malicious software Invezz. This campaign, active since November 2024, has resulted in over $1 million in losses, with victims losing wallet credentials and other sensitive data. Reports suggest North Korean hackers, potentially including the Lazarus Group, are behind these attacks, given their history of social engineering tactics CryptoPotato.
While it’s not definitively proven that the Lazarus Group is directly responsible for the Zoom scams, their involvement in similar activities, such as targeting crypto firms with malware like Hidden Risk, suggests a possible connection The Hacker News. Crypto veterans, often high-value targets due to their expertise and assets, are prime candidates for such scams, highlighting the group’s evolving tactics.
Implications and Industry Impact
For the crypto industry, these incidents underscore the need for enhanced security measures, including robust anti-money laundering (AML) and know-your-customer (KYC) protocols for exchanges and increased awareness of social engineering tactics for users. The use of Tornado Cash by the Lazarus Group highlights the challenges of regulating decentralized privacy tools, while the Zoom scams emphasize the importance of user education to combat phishing attempts.
Comparison with Global Trends
Globally, the crypto space has seen increased scrutiny, with countries like the US cracking down on illicit activities, as seen in the sanctions on Tornado Cash US Treasury. North Korean hackers, including the Lazarus Group, have been responsible for over $3 billion in crypto thefts since 2017, according to Chainalysis, making them a significant threat Chainalysis. The Zoom scams align with a broader trend of social engineering attacks, with similar incidents reported in other sectors, but their focus on crypto veterans is particularly concerning.
Table: Key Details of Lazarus Group’s Activities and Zoom Scams
| Aspect | Details |
|---|---|
| Group Involved | Lazarus Group (North Korean hackers) |
| ETH Deposit | 400 ETH to Tornado Cash, ~$750,000, March 13, 2025 |
| Recent Hacks | Bybit ($1.4B, Feb 2025), Phemex ($29M, Jan 2025) |
| Zoom Scams | Fake links since Nov 2024, over $1M stolen |
| Tactics | Laundering via mixers, social engineering via Zoom |
| Industry Impact | Increased need for AML, KYC, user education |
| Global Context | Part of $3B+ in North Korean crypto thefts since 2017 |
Key Citations
- Lazarus Group deposits 400 ETH into Tornado Cash, new malware
- Lazarus Group moves 400 ETH to Tornado Cash, expands malware campaign
- Zoom Scams Target Crypto Users: What You Need to Know
- Investors Beware: Hackers Target Crypto Users With New Zoom Meeting Scam
- Hackers use fake Zoom links to target crypto users, steal $1M: report
- Zoom Meeting Scam: Crypto Users Fall Prey to Potential Russian-linked Hackers
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS
- A Look into the Lazarus Group’s Operations
- Tornado Cash Price: TORN Live Price Chart, Market Cap & News Today
- U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash
- Understanding Tornado Cash, Its Sanctions Implications, and Key Compliance Questions
- Tornado Cash Sanctions
- Lazarus Group sends 400 ETH to Tornado Cash, deploys new malware
