ZachXBT, the popular crypto sleuth, reported that a victim was hacked on Tron, leading to a loss of about $3.19M in USDT. The stolen USDT was transferred to Ethereum before the ETH was split among 10 addresses and deposited into Tornado Cash. ZachXBT attributes this hack to the notorious North Korean Lazarus Group. Onchain Lens disclosed that ZachXBT had uncovered another malicious attack by a hacker, leading to the unknown victim’s loss of about 3.19M USDT. According to TronScan, the USDT was transferred to the Ethereum blockchain, where it was swapped for ETH and then split among 10 addresses before being deposited into Tornado Cash (96 X 10 ETH, 4 X 100 ETH, 78 X 1 ETH, 5 X 0.1 ETH). ZachXBT pointed out that the hacker reused a theft address from the Michael Kong (Fantom/Sonic CEO) hack in October 2023, which had been previously attributed to the Lazarus Group as part of a ‘spearphishing campaign’ in a March 2024 report published by the UN. On February 22, ZachXBT also revealed that the Lazarus Group had connected the Bybit hack to the Phemex hack directly on-chain by ‘commingling’ funds from the initial theft address for both incidents. Lazarus Group adds unknown victim to the long list of crypto theft Zach ( @zachxbt ) reported that a user was scammed by the Lazarus Group on Tron for approximately $3.2M $USDT The stolen funds were transferred from #Tron to #Ethereum . The $ETH was then split among 10 addresses and deposited into Tornado Cash as follows: 96 x 10 ETH, 4 x 100 ETH,… pic.twitter.com/JRQ03rtflA — Onchain Lens (@OnchainLens) March 1, 2025 According to ZachXBT, the Lazarus Group is suspected to have struck once again, this time targeting an unknown victim on Tron and stealing over 3.19M USDT. The loot was then quickly transferred to the Ethereum chain, swapped for ETH, and split among ten addresses before being deposited into Tornado Cash. TronScan data showed that the hacker(s) used two addresses, TYQ3455gFNeqyw and 0xcced1276382f4d, to siphon 3,199,779 USDT from a victim with the address TDNaLds1A1g6vYRU. The malicious attack attributed to the North Korean hacking group suspected state links comes after a recent heist where the group reportedly stole over $1 billion from the Bybit exchange. Bybit was the victim of a record-breaking ~$1.5 billion Ethereum hack. North Korea’s Lazarus Group was the prime suspect in a sophisticated attack where the hackers infiltrated Bybit’s cold wallet and stole over 400K ETH. Elliptic’s research claims the Bybit heist is arguably the largest crypto theft in history. The Lazarus Group is suspected of stealing over $6 billion worth of crypto assets since 2017. The proceeds were reportedly spent on North Korea’s ballistic missile program. Elliptic follows the Lazarus Group’s patterns According to Elliptic’s research, the Lazarus Group followed a characteristic pattern to launder stolen crypto tokens. The first step was to exchange any stolen tokens for a “native” blockchain asset such as Ether. The group reportedly opted for this method because tokens have issuers who, in some cases, can ‘freeze’ wallets containing stolen assets, but no central party can freeze Ether or Bitcoin. That was exactly what happened in the minutes following the Bybit theft and the latest Tron hack involving an unknown victim. Hundreds of millions of dollars in stolen tokens were exchanged for ETH. They used decentralized exchanges (DEXs) to avoid any asset freezes that may happen if they use centralized exchanges (CEXs) to launder stolen funds. As per Elliptic’s report, the second step of the laundering process was to conceal the transaction trail by ‘layering’ the stolen funds. These layering tactics can complicate the tracing process, buying the launderers valuable time to cash out the assets. The layering process includes sending funds through large numbers of cryptocurrency wallets and moving funds to other blockchains using cross-chain bridges or exchanges. It also includes other tactics like switching between different crypto-assets using DEXs, coin swap services, or exchanges and using ‘mixers’ such as Tornado Cash or Cryptomixer. eXch has also emerged as a major and willing facilitator of this laundering. Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
