How a state-sponsored hacking unit became crypto's biggest threat — and how ClearChain tracks them.
Lazarus Group is a North Korean state-sponsored hacking unit operating under the Reconnaissance General Bureau. Since 2017 they've stolen over $3 billion in cryptocurrency — funding the regime's weapons program. They're the most prolific crypto threat actor ever documented.
| Incident | Year | Amount | Method |
|---|---|---|---|
| Ronin / Axie Infinity | 2022 | $625M | Compromised validator keys |
| Harmony Bridge | 2022 | $100M | Multisig key compromise |
| WazirX Exchange | 2024 | $235M | Smart contract exploit |
| Bybit Exchange | 2025 | $1.5B | UI injection / social engineering |
| Various DeFi protocols | 2020–24 | $500M+ | Smart contract vulnerabilities |
After a hack, Lazarus doesn't cash out immediately — they layer. Their playbook is sophisticated and consistent, which is actually what makes them trackable:
Stolen funds are split across dozens of wallets within minutes of the hack. This makes freezing harder — exchanges can only block what they know about.
Fragments are funneled through Tornado Cash or other mixers to break on-chain links. OFAC flagged Lazarus-linked TC addresses specifically.
After mixing, funds hop chains via bridges — ETH to BSC to Avalanche. Each hop further obscures the trail and adds complexity for investigators.
Final conversion to fiat happens through OTC desks in jurisdictions without robust AML enforcement, particularly in East Asia.
ClearChain's label database includes known Lazarus Group wallet addresses sourced from OFAC designations, FBI advisories, and blockchain intelligence firms. This means: