TL;DR
- Blockchain investigator ZachXBT revealed that North Korea’s Lazarus Group continues to launder billions in stolen crypto through small OTC brokers and obscure networks, with Tron-based laundering alone estimated at $5–$10 billion.
- The U.S. Department of Justice has filed a civil complaint to seize $7.7 million tied to North Korean IT workers operating under false identities.
- Analysts warn that some exchanges allow these transactions while profiting from commissions.
The Lazarus Group, widely considered a state-sponsored cybercrime outfit operating under North Korea’s intelligence apparatus, has intensified its use of lesser-known methods to clean stolen cryptocurrency. According to respected blockchain sleuth ZachXBT, laundering activity on the Tron network alone may total as much as $10 billion, a staggering amount that remains largely untraced. Small over-the-counter (OTC) brokers, often outside the reach of strict anti-money laundering enforcement, have become key facilitators of these operations.
The group’s methods vary: from classic P2P transactions and privacy wallets to more complex laundering strategies such as chain hopping and using loosely regulated virtual asset service providers (VASPs). In some cases, crypto exchanges collect transaction fees on this activity despite clear red flags, profiting from illicit flows while claiming plausible deniability. This passive stance has raised concerns about accountability and systemic risks.
Meanwhile, the abuse of decentralized platforms has also enabled rogue actors to circumvent detection. ZachXBT has criticized some projects for prioritizing growth over compliance, especially when illicit volume drives protocol activity. The lack of coordinated enforcement leaves room for laundering networks to innovate faster than law enforcement can respond.
Digital Heists Fuel State-Backed Laundering Networks
The Department of Justice recently escalated its efforts by filing a civil forfeiture complaint targeting $7.7 million in digital assets tied to a North Korean-run laundering operation. These assets stemmed from fraudulent IT jobs obtained by North Korean operatives using fake identities, who then funneled earnings in USDT and USDC through laundering channels back to wallets controlled by DPRK entities.
This is far from isolated. A February incident involved a ByBit supplier breach, with the Lazarus Group redirecting 401,000 ETH and laundering $160 million within just two days. TRM Labs’ Ari Redbord called the speed “unprecedented,” raising concerns that North Korea may have significantly upgraded its laundering infrastructure.
Experts like Tom Robinson from Elliptic and Dorit Dor from Check Point emphasize that North Korea’s closed economy and state-level cyber capabilities allow it to industrialize crypto crime. Unless exchanges and service providers commit to active monitoring and collaboration with regulators, they risk becoming complicit in a system that enables global threats to flourish.
