May 16, 2025 – Blockchain investigators are sounding the alarm after $3.2 million was drained from multiple Solana wallets in an exploit that bears striking similarities to previous attacks carried out by North Korea-linked Lazarus Group.
According to blockchain analyst ZachXBT, the attackers swiftly moved the stolen funds via cross-chain bridges, converting them into Ethereum. Notably, 800 ETH—valued at approximately $1.6 million—was funneled into Tornado Cash, a crypto mixer previously sanctioned by the U.S. for its role in money laundering.
Bridge to Ethereum, Then to Tornado Cash
The breach began with unauthorized transactions from Solana address “C4WY…e525”, which investigators linked to Lazarus operations. After bridging the assets to Ethereum, the attackers deposited the funds into Tornado Cash in two 400 ETH batches on June 25 and June 27, respectively.
Despite enforcement actions, including U.S. sanctions on Tornado Cash in 2022, the service remains active due to its decentralized nature and immutability. A U.S. appeals court controversially reversed the sanctions in January 2025, citing free speech protections.
Remaining Funds and Potential Next Moves
Roughly $1.25 million in DAI and ETH remains untouched in an Ethereum wallet (0xa5…d528). Analysts believe the funds may be intentionally parked to avoid detection, a common tactic in Lazarus’s playbook.
Lazarus Group: A Persistent Threat Since 2017
Designated as a state-sponsored Advanced Persistent Threat (APT), the Lazarus Group has stolen billions in crypto assets since 2017. Their attacks often involve phishing, malware, and smart contract exploits, followed by the rapid laundering of funds through non-KYC exchanges, decentralized bridges, and mixers like Tornado Cash.
This latest hack follows major incidents, including the $1.5 billion Bybit breach in February 2025 and the $100 million Horizon Bridge exploit in 2022, reinforcing concerns over the group’s growing sophistication and persistent threat to the crypto ecosystem.
With blockchain tracing tools and investigators like ZachXBT continuing to uncover these laundering patterns, regulators and exchanges are under pressure to flag suspicious addresses. However, given the speed and decentralization of these tactics, enforcement remains a challengin
g cat-and-mouse game.
