Skip to main content
HashnodeChainHint BlogChainHint Blog

Command Palette

Search for a command to run...

Lazarus Group Laundering Playbook: 8 Years, $6.7B, and the Patterns Every Investigator Should Know

How North Korea's state-sponsored hackers move stolen crypto — and what their transactions look like on-chain

Published
12 min read
Lazarus Group Laundering Playbook: 8 Years, $6.7B, and the Patterns Every Investigator Should Know
K
Kir

$6.7 billion. That's what Lazarus Group has extracted from the global cryptocurrency ecosystem since 2016. Not across thousands of victims — across a handful of high-value operations, each executed with military precision, each following a recognizable pattern.

The Bybit hack in February 2025 was the largest single crypto theft in history. Within 72 hours, blockchain investigators had already attributed it to Lazarus with high confidence — before the FBI formally confirmed it on February 26. That attribution happened through on-chain pattern recognition, not intelligence sources. The blockchain recorded everything.

Understanding how Lazarus launders crypto is not an academic exercise. It's the foundation of effective investigation. Every phase of their operation leaves traces. Knowing what to look for is the difference between a cold trail and a frozen wallet.

Who Is Lazarus Group

Lazarus Group is not a criminal organization in the traditional sense. It is a division of the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service — the same agency that runs the DPRK's nuclear weapons program.

The cyber operation unit, sometimes called Bureau 121 or Office 39, has a specific mandate: generate hard currency for the regime. Economic sanctions have cut North Korea off from most legitimate revenue sources. Cryptocurrency theft fills the gap.

The FBI tracks Lazarus under the designations TraderTraitor and APT38. MITRE ATT&CK catalogs their techniques under G0032. They are classified as a nation-state advanced persistent threat — not financially motivated criminals, but state intelligence operators with state resources and long time horizons.

This distinction matters operationally. Lazarus is willing to hold stolen funds for years before laundering. They accept friction losses that would make a criminal organization walk away. They have no profit motive in the conventional sense — only extraction quotas. That changes how you model their behavior.

The Four Phases of a Lazarus Laundering Operation

Every major Lazarus operation follows the same four-phase structure. Bybit, Ronin Bridge, Horizon Bridge, Harmony, Atomic Wallet — the playbook is consistent enough that investigators recognized the Bybit fund flow within hours of the theft.

Phase 1: Fragmentation

Immediately after extraction, Lazarus never moves funds as a single block. Large sums attract attention from automated monitoring systems. Single large transfers are easy to track.

Instead, the stolen assets are split into smaller, roughly equal increments and distributed across dozens — sometimes hundreds — of freshly created wallets. In the Bybit case: 401,000 ETH divided into 48 addresses, each receiving approximately 10,000 ETH.

What this looks like on-chain: A single root address fanning out to 30–60 child addresses within 1–6 hours of the theft, with transfers of suspiciously even amounts. No legitimate business sends exactly 10,000 ETH to 48 different addresses in 90 minutes.

Why it matters for tracers: Fragmentation is designed to overwhelm manual analysis. A human analyst clicking through Etherscan can follow one thread, maybe two. Forty-eight simultaneous threads are impossible to track manually. This is why automated BFS traversal — the kind that powers ChainHint's fund flow graph — is essential. The machine follows all 48 threads simultaneously and flags where they converge.

Phase 2: Liquidity Conversion

Lazarus often steals assets that are not maximally liquid. In the Bybit case, stETH (staked ETH) and mETH (Mantle staked ETH) were included in the theft. These assets are harder to move at scale than pure ETH — lower liquidity, potential unwinding delays.

Before moving funds further, Lazarus converts everything to the most liquid available asset: ETH on Ethereum, BTC after cross-chain bridging. This conversion happens through DEXs — Uniswap, DODO, Curve — where transactions are permissionless and cannot be frozen.

What this looks like on-chain: Swaps on major DEX contracts appearing at hop 2–3 from the root address, converting staked/wrapped assets to ETH. The entity resolution layer of a forensics platform flags these as DEX interactions rather than wallet-to-wallet transfers.

Why it matters for tracers: This is a detection window. DEX interactions are visible and labeled. When ChainHint's entity resolver identifies a node as "DODO (DEX)" or "Uniswap V3," it signals liquidity consolidation — the moment when stolen assets are being prepared for cross-chain movement. Investigators who catch this phase can sometimes coordinate with CEXs that use the same liquidity pools to flag suspicious swaps.

Phase 3: Chain Bridging and Trail Splitting

The most dangerous moment in any laundering operation: moving funds from Ethereum to Bitcoin.

This cross-chain jump breaks the continuous on-chain trail. An investigator tracking ETH addresses now needs to switch mental models, data sources, and address formats simultaneously. Most manual investigations lose continuity here.

Lazarus uses a combination of techniques for cross-chain transfers:

  • THORChain: A decentralized cross-chain liquidity protocol with no KYC, no freeze capability

  • Chainflip: Similar model, decentralized native cross-chain swaps

  • No-KYC bridges: Smaller, less monitored bridging infrastructure

By March 20, 2025 — 27 days after the Bybit hack — CEO Ben Zhou confirmed that 86.29% of stolen ETH had been converted to BTC. The trail had moved chains.

What this looks like on-chain: Bridge contract interactions appearing at hop 3–5, with ETH going in and corresponding BTC addresses receiving funds on the Bitcoin chain. This requires a fund tracing platform that maintains context across both EVM and Bitcoin simultaneously — the core capability gap between a block explorer and a forensics tool.

Why it matters for tracers: Cross-chain transitions are trackable. Bridge contracts log both the source EVM transaction and the destination BTC address. A platform that tracks both chains can follow the trail across the bridge. What cannot be followed is what goes through mixers on the other side — which brings us to Phase 4.

Phase 4: Mixing and Cash-Out

After cross-chain conversion, Lazarus deploys their full obfuscation toolkit:

Bitcoin mixers (CoinJoin, Wasabi, custom services): Break the one-to-one transaction mapping on the Bitcoin chain. Inputs from multiple sources combine; outputs go to multiple destinations. Without mixer-specific analytics, the trail goes cold here.

ETH mixers (Tornado Cash): Despite US sanctions and the arrest of developers, Tornado Cash smart contracts continue to operate on-chain and are still used for ETH obfuscation. ChainHint's entity resolver flags any interaction with Tornado Cash contract addresses as high-risk.

P2P vendor networks: Convert crypto to fiat through peer-to-peer platforms with no KYC. These are offline conversion points where the on-chain trail ends and the off-chain trail begins — the boundary where blockchain forensics hands off to traditional financial intelligence.

Money laundering-as-a-service: Lazarus has documented connections to organized crime networks in Southeast Asia and Russia that provide laundering infrastructure for a cut. This is an operational efficiency — DPRK doesn't have to build cash-out networks from scratch.

What this looks like on-chain: High-risk entity flags on mixer contracts. Known Tornado Cash addresses. Unusual transaction patterns on Bitcoin (round-number inputs, timing correlation with mixer cycles). Wallet clusters that go dormant for months before reactivating — Lazarus's long-game strategy.

The Fingerprints Lazarus Leaves Behind

What made the Bybit attribution so rapid is that Lazarus Group has consistent behavioral signatures. Twelve investigations over eight years create a reference dataset. New operations get compared against historical patterns.

Wallet clustering behavior: Lazarus consistently uses freshly created wallets for each operation, but the creation patterns, funding sources, and interaction timing are consistent across campaigns. ZachXBT's attribution of the Bybit hack to Lazarus was partially based on identifying overlap addresses with the Phemex hack — funds commingled at 0x33d057af74779925c4b2e720a820387cb89f8f65 connected both operations on-chain.

Timing correlation: Lazarus operates in coordinated windows. Fragmentation happens within hours of theft. Liquidity conversion follows within 24–48 hours. Cross-chain bridging typically occurs within two to four weeks. Investigators who know this timeline can anticipate the next move.

DEX preference: Lazarus consistently routes through specific DEXs — DODO has appeared in multiple attribution chains. The preference is for high-liquidity, low-slippage, permissionless venues. This creates a predictable interaction pattern.

Dormancy periods: Unlike financially motivated criminals who launder as fast as possible, Lazarus holds funds. They have held assets for 12–18 months before beginning to move them. This extended timeline is possible only for a state actor with no cash flow pressure. It also means investigators must maintain long-term monitoring, not just immediate response.

What Fund Tracing Tools Actually Detect

The gap between what a block explorer shows and what a forensics platform reveals is the gap between "I can see transactions" and "I understand what's happening."

Block explorer view of Lazarus operations: a series of wallet addresses and transaction hashes. The addresses are unlabeled. The amounts are visible. The relationships are invisible without manual work.

Forensics platform view of the same data:

Entity resolution converts 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e → "Bybit Exploiter (Lazarus Group)" with sanctions status, associated incident tags, and historical activity context. The 44 million+ labeled addresses in ChainHint's database mean most of the major Lazarus-associated wallets are already flagged before an investigator even begins tracing.

BFS traversal automatically follows all branches from the root address simultaneously. The 48-address fragmentation that defeats manual analysis takes seconds to map. The investigator sees a complete graph, not a linear chain.

Cross-chain context maintains continuity when funds bridge to Bitcoin. The investigation thread doesn't break at the chain boundary.

Risk propagation flags any wallet that has transacted with a sanctioned address as carrying elevated OFAC exposure. Exchanges that receive funds from these wallets face legal liability — which is the pressure point for voluntary freezes.

MITRE ATT&CK classification in the AI investigation report maps observed behaviors to the framework: T1078 (Valid Accounts — the signing key compromise), T1565.001 (Stored Data Manipulation — the JavaScript injection), T1036 (Masquerading — the UI spoofing). This framing translates on-chain observations into the language of cybersecurity investigations that law enforcement understands.

The 48-Hour Window — In Practice

Here is what the freezable window looks like in a real operation:

Hours 0–6: Fragmentation. Funds are moving. Automated monitoring systems (Elliptic, TRM, ChainHint alerting) flag the root address. First attribution signals emerge.

Hours 6–24: Liquidity conversion on DEXs. This is the first freeze opportunity: notify DEXs and CEXs that share liquidity pools with the conversion venues. Most don't respond quickly enough.

Hours 24–72: Cross-chain bridging. Second freeze opportunity: bridge operators. THORChain and Chainflip are decentralized and cannot freeze. Centralized bridges sometimes can, with legal pressure.

Days 3–27 (Bybit case): BTC conversion. Third freeze opportunity: notify major BTC exchanges before Lazarus-controlled addresses deposit. This is the window where the $42 million in Bybit-adjacent funds was frozen.

Days 27+: Mixing begins. Trail becomes probabilistic, not deterministic. The forensics window largely closes.

The Bybit case frozen only 3% of stolen funds — $42 million of $1.5 billion. That 3% came from coordinated action in the first 72 hours. The remaining 97% moved past the freeze window before coordinated response was possible.

The implication for any organization holding significant crypto assets: incident response pre-planning is not optional. The question is not whether you have the right tools when something goes wrong. The question is whether they are already running before something goes wrong.

Operational Lessons for Investigators

1. Don't wait for attribution. When 400,000 ETH moves from a cold wallet in a single transaction, you know. You do not need FBI confirmation to begin tracing. Every hour of waiting is an hour the window is closing.

2. Focus on endpoints, not paths. The intermediate wallets don't matter — what matters is where funds reach identifiable entities. Exchange deposit addresses, bridge contracts, DEX interactions. These are the actionable nodes. Tracing only needs to run until it reaches a labeled entity.

3. Document everything immediately. Law enforcement cannot act on a screenshot. Every hop in the fund flow needs to be captured with transaction hashes, timestamps, amounts, and entity labels — formatted for chain-of-custody standards. A PDF investigation report generated at hour two is infinitely more actionable than a manual writeup generated at day five.

4. Monitor, don't just trace. Lazarus holds funds. An investigation that runs once and closes will miss the reactivation months later when funds start moving again. Address monitoring — automated alerts when specific wallets transact — is how investigators catch the delayed laundering phase.

5. Know the signatures. The Phemex-Bybit connection was found because investigators knew to look for Lazarus-pattern wallet interactions. Build a reference set of known Lazarus wallet clusters, DEX preferences, and timing patterns. The next operation will rhyme with the last one.

Why This Matters Beyond Lazarus

Lazarus Group is the most documented case study in crypto fund tracing — but the methodology they use is not unique to nation-state actors.

Drainer operations fragment and bridge. Rug pulls convert to ETH and bridge to BTC. Ransomware payment laundering follows the same four-phase structure. The techniques differ in sophistication, but the pattern is consistent enough that the same investigative approach applies.

The reason to understand Lazarus specifically is the reference dataset. Eight years, twelve major operations, billions in traced funds. Every detailed case study adds pattern recognition. When the next operation starts, investigators who know the Lazarus playbook will recognize it faster than those who don't.

The blockchain doesn't forget. Every transaction is permanent, public, and traceable — not just today, but retroactively as the entity database grows. An address that was anonymous in 2023 may be labeled in 2026 when additional intelligence becomes available.

Lazarus Group has stolen $6.7 billion. The blockchain recorded all of it. The investigation is still running.

ChainHint is a blockchain forensics platform for incident response and crypto investigation. 44M+ labeled addresses. 350K entities. 12 chains including Bitcoin, 9 EVM networks, Solana, and TON. Fund flow tracing, MITRE ATT&CK reports, address monitoring. From $0/month — chainhint.com

#blockchain#cybersecurity#crypto#web3#ethereum

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

ChainHint Blog

4 posts

Blockchain forensics, on-chain investigation techniques, and crypto security research. We trace stolen funds, analyze major hacks, and share the methodology behind ChainHint — a fund tracing platform covering 12 chains including 9 EVM networks, Bitcoin, Solana, and TON. Built for investigators who don't have a $30K/year Chainalysis contract.