Lazarus’ $1.12B Bitcoin Hoard: Bybit Hack to Crypto Empire

• Lazarus converted stolen $ETH to 13,562 $BTC ($1.12B) after the Bybit hack, as tracked by Arkham.
• The group deployed “BeaverTail” malware via NPM, targeting developers to steal crypto credentials.
• Lazarus launched fake Solana meme coins on Pump.fun, using the platform to launder stolen funds.

Lazarus, the infamous hacker group, has continued to astound investigators after the daring $1.4 billion Bybit hack and memecoin scams. On-chain sleuths has recently traced the trail of the stolen funds, representing sophisticated financial maneuvering despite international sanctions.

Arkham, a blockchain analytics platform, found that Lazarus converted the stolen ETH into Bitcoin, after the Bybit hack. Currently, it hold a total of 13,562 BTC worth roughly $1.12 billion. Hackers often employ this common tactic to condeal the paths of the stolen assets as BTC is relatively more liquid and is widely accepted.

Source: Arkham

This makes North Korea the third-largest state Bitcoin holder, trailing only the US and UK. The rogue nation has leveraged cybercrime to become a major sovereign bitcoin holder—surpassing legitimate state actors like El Salvador and Bhutan.

What’s more concerning is that its state backed hacker group have moved beyond basic illegal access. They have now been found to unleash six harmful packages to infect developer systems, steal their credentials, access crypto data, and install hidden access points. 

As reported by TronWeekly, the hackers’ main target was the Node Package Manager (NPM) ecosystem, which housed many important JavaScript libraries. They embedded a Malware named “BeaverTail” in packages to mimic their real counterparts using typosquatting techniques to fool developers. 

“Lazarus hits npm again. Six new malicious packages target developers, stealing credentials and deploying backdoors.”

Lazarus Group’s Evolving Cyber Tactics

After the attack, the group even tried to hide the stolen assets through different methods, including using THORChain, a decentralized exchange that does not need any identity verification.

Broadening their attack, Lazarus also launched fake meme coins through Solana-based Pump.fun. Cyber experts have observed how cybercriminals utilized the platform to cover up the source of their stolen money. The exchanged funds were then moved to different exchanges, which makes tracking and detection increasingly challenging.

Noted crypto investigator ZachXBT retained undisclosed to prevent interference, however, ZachXBT validated the release of wallets from analytics tools.