ChainCatcher news, according to a report by Reuters, the North Korean hacker group Lazarus Group has registered multiple companies in the United States for cyber attacks targeting cryptocurrency developers. According to a report by cybersecurity firm Silent Push, the hackers registered companies such as Blocknovas LLC and Softglide LLC in New Mexico and New York, using false identities and addresses to distribute malware through fake job opportunities. The FBI has seized the Blocknovas domain, stating that it was used to deceive individuals and spread malicious programs. This behavior violates the sanctions imposed by the U.S. Treasury and the United Nations against North Korea.

ChainCatcher news, according to Cointelegraph, the cryptocurrency exchange eXch announced that it will cease operations on May 1. Earlier reports indicated that the exchange was used for money laundering, involving some of the stolen funds from the $1.4 billion hack incident related to Bybit.In an announcement on April 17, eXch stated that the majority of the management team voted to adopt a "stop and retreat" strategy in response to allegations that the North Korean hacking group Lazarus Group laundered approximately $35 million through the platform—funds that originated from the $1.4 billion hack suffered by Bybit.The exchange claimed it had become a target of a "transatlantic joint law enforcement operation" aimed at shutting down its business and potentially filing criminal charges. eXch stated in its announcement: "Although we have withstood multiple attempts to shut down our infrastructure and maintained operations, we believe it is pointless to continue operating in an environment where we have become a target of signals intelligence surveillance, solely due to the hostile environment created by the misinterpretation of our mission by certain individuals." The exchange initially denied blockchain detective claims that it assisted the Lazarus Group in laundering money but acknowledged handling a "very small portion of funds" from the February hack incident.

ChainCatcher news, according to Spot On Chain monitoring, today, the Lazarus Group (North Korean hackers) sold 40.78 WBTC (approximately 3.51 million USD), making a profit of 2.51 million USD (+251%) -- which they bought two years ago.They purchased WBTC for approximately 990,000 USD at a price of about 24,521 USD in February 2023, and sold it 12 hours ago for about 86,170 USD at a price of 1,857 ETH. The hackers then distributed these Ethereum across 3 wallets.

ChainCatcher message, according to Arkham data, the North Korean hacker group Lazarus Group transferred 12.929 BTC to an unknown address 27 minutes ago. The latest data shows that the Lazarus Group's BTC holdings have decreased to 13,440, valued at approximately 1.16 billion USD.

ChainCatcher news, Wemade's blockchain subsidiary Wemix Foundation has disclosed a loss of approximately 8.65 million WEMIX tokens (worth about 6.22 million USD) due to a hacker attack. Its CEO Kim Seok-hwan stated that the hacker is unlikely to be the North Korean organization Lazarus Group, but rather a professional who infiltrated the system by stealing the service monitoring authentication keys from the NFT platform Nile. It is reported that the hacker prepared for this attack for two months and then attempted 15 withdrawals through the creation of abnormal transactions, of which 13 were successful.Kim Seok-hwan also revealed plans to reopen all Wemix services on Friday and will upgrade security measures on the new blockchain infrastructure.

According to ChainCatcher news, after the North Korean hacker group Lazarus Group attacked Bybit, they began to exchange some of the stolen assets for Bitcoin. Data shows that the group now holds 13,562 BTC, worth approximately $1.14 billion. This has led to a continuous increase in North Korea's Bitcoin holdings, which have now surpassed those of El Salvador (6,117 BTC) and Bhutan (10,635 BTC), making it the third largest government entity in terms of Bitcoin holdings globally, only behind the United States (198,109 BTC) and the United Kingdom (61,245 BTC).

ChainCatcher news, according to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is associated with six new malicious npm packages that attempt to deploy backdoors to steal user credentials.Additionally, this malware can extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attacks primarily target files from Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically tricking developers into inadvertently installing these malicious packages.The six discovered malicious packages include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They lure developers into installation through "typosquatting" (exploiting misspelled names). The APT group has created and maintained GitHub repositories for five of these packages, disguising them as legitimate open-source projects, increasing the risk of developers using the malicious code. These packages have been downloaded over 330 times. Currently, the Socket team has requested the removal of these packages and reported the related GitHub repositories and user accounts.Lazarus is a notorious North Korean hacker group, linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.

ChainCatcher news, according to Cointelegraph, the cryptocurrency exchange Bybit has confirmed that it has initiated a proposal requesting the decentralized finance (DeFi) protocol ParaSwap to return the transaction fees generated from trading with digital assets stolen from the exchange by the Lazarus hacker group.On March 4, a proposal was published on the ParaSwap decentralized autonomous organization (DAO) forum, requesting the freezing and return of 44.67 wETH worth nearly $100,000. The proposal initially raised skepticism, with several DAO members demanding verification of its origin. Bybit posted a verification message on its official X account on March 5, confirming that the proposal was initiated by them.This proposal for fund return sparked intense discussions among DAO members. DeFi researcher and ParaSwap DAO representative Ignas pointed out that profiting from a hacker attack gives a "bad image" to the DAO, and returning the funds would demonstrate support for industry peers. He added that retaining these funds could attract regulatory scrutiny and legal troubles. However, he also warned that refunds would set a dangerous precedent for DeFi: "Code is law. The DAO legally earned the fees through smart contracts. If we return the funds now, what happens in similar situations in the future? This would set a dangerous precedent."Opinions among ParaSwap DAO members are divided, with some supporting conditional refunds of the fees, while others voted against the refund. DAO member SEED Gov proposed three possible courses of action: full refund, rejection of the request, or negotiating a structured refund that includes retaining 10% as a bounty, consistent with Bybit's existing bug bounty program.

ChainCatcher news, according to data from the Web3 security agency CertiK, the cryptocurrency industry lost up to $1.53 billion in February 2025, with the $1.4 billion attack on Bybit by the North Korean Lazarus Group becoming the largest cryptocurrency hacking incident in history, accounting for 91% of the total losses for that month. Excluding the Bybit incident, the losses in February still reached $126 million, an increase of 28.5% compared to January.Other significant events include the stablecoin payment company Infini losing $49 million due to a suspected administrator privilege vulnerability, and the ZkLend protocol being hacked for $10 million. CertiK pointed out that the main causes of losses this month were wallet leaks, code vulnerabilities ($20 million), and phishing attacks ($1.8 million).

ChainCatcher news, according to Bitcoin.com News, North Korea's Lazarus group has accumulated nearly $1 billion in cryptocurrency, including $592 million in ETH, $319 million in BTC, and even $337,000 in BABYDOGE.

ChainCatcher news, "on-chain detective" ZachXBT revealed in a personal channel that an unknown victim was attacked by the North Korean hacker Lazarus Group on February 28 on Tron, resulting in a loss of approximately $3.1 million. The funds were transferred from Tron to Ethereum, and the ETH was split into ten addresses before being deposited into Tornado Cash.

ChainCatcher news, Bybit CEO Ben Zhou disclosed on social media that the platform has processed 2,167 reports since its launch.Ben Zhou stated that the Lazarus bounty platform has released a major update for version 1.1. The new version adds a hacker address analysis feature, allowing bounty hunters to view all stolen assets across chains and gain a comprehensive understanding of fund flows.The platform has also added a Discord channel for hunters to submit bounties, equipped with an automatic blacklist address checking system to avoid duplicate submissions.In addition, the update ranks the balances of hacker wallets and displays the names of bounty hunters in verified reports.

ChainCatcher news, Safe responded on platform X to Bybit's hacking forensic report, stating that the forensic review of the targeted attack by the Lazarus Group on Bybit concluded that the attack on Bybit Safe was executed through compromised Safe{Wallet} developer machines, leading to disguised malicious transactions.Lazarus is a government-backed North Korean hacking organization known for its complex social engineering attacks on developer credentials, sometimes combined with zero-day vulnerabilities. The forensic review by external security researchers did not indicate any vulnerabilities in the Safe smart contracts or the source code of the front end and services.Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and has now phased the restoration of Safe{Wallet} on the Ethereum mainnet. The Safe{Wallet} team has completely rebuilt and reconfigured all infrastructure and rotated all credentials to ensure the complete elimination of the attack vector.After the final results of the investigation are released, the Safe{Wallet} team will publish a complete post-mortem analysis. The Safe{Wallet} front end is still operational and has implemented additional security measures. However, users need to be extra cautious and vigilant when signing transactions.

ChainCatcher message, Bybit CEO Ben Zhou posted on social media, "The Lazarus hacker group's bounty website is now live, showcasing transparent data about Lazarus's money laundering activities."The total bounty is 10% of the recovered funds, and if all funds are recovered, the total bounty could reach up to $140 million. The specific distribution is as follows: 5% to the entities that successfully freeze the funds, and 5% to the contributors who help track the funds.

ChainCatcher message, eXch stated in a post on the Bitcointalk forum, "The platform will not launder for Lazarus; contrary opinions are just the views of some people who wish for the interchangeability and on-chain privacy of decentralized currency to disappear. These individuals have long hated decentralized cryptocurrencies."eXch acknowledged that a small portion of the funds from the ByBit hack ultimately entered its platform address, but claimed that this transfer was "an isolated case." The eXch team promised to donate the proceeds to "various open-source projects dedicated to privacy and security both within and outside the crypto space."Previously, according to Slow Mist's Yu Xin, given that a considerable amount of ETH has already been laundered through eXch and exchanged for BTC, XMR, etc., all platforms should raise their risk control levels for funds originating from eXch.

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.