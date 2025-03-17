The Lazarus Group, which was responsible for the recent $1.5 billion Bybit hack, now holds 13,518 BTC worth $1.13 billion, according to Arkham Intelligence.

This could make North Korea the fifth-largest nation-state to hold the asset behind the United States, China, the United Kingdom, and Ukraine, according to BitBO.

It would also make the cybercrime group’s holdings larger than those of Bhutan and El Salvador, which hold 13,029 BTC and 6,089 BTC, respectively.

Lazarus recently converted some of its stolen ETH into BTC, according to Arkham.

BREAKING NEWS: North Korea’s Lazarus group has converted the stolen $ETH to $BTC after the Bybit hack, now holding 13,562 $BTC worth around $1.12B per data from @arkham. pic.twitter.com/DdNbcKd3oT — Jason Ai. Williams (@GoingParabolic) March 17, 2025

Lazarus The Bitcoin Whale

Arkham also reports that Lazarus-linked wallets hold 13,702 ETH worth around $26 million, 5,022 BNB worth $3 million, $2.2 million in DAI, and several stablecoins and wrapped crypto assets.

“We grind and HODL just so that a hacker group can steal over $1B in crypto. It’s time for us to take the market back,” commented crypto investor Kyle Chassé.

North Korea-linked actors have stolen over $6 billion in crypto assets since 2017, with the proceeds reportedly spent on the country’s ballistic missile program, reported Elliptic earlier this month.

On March 13, it deposited 400 ETH (ETH) worth around $750,000 at the time into the Tornado Cash mixing service, according to blockchain security firm CertiK, which stated, “The funds trace to the Lazarus group’s activity on the Bitcoin network,” it noted.

Lazarus Group has also deployed six new malware packages to infiltrate developer environments, steal credentials, extract cryptocurrency data and install backdoors, according to research from cybersecurity firm Socket released last week.

The malware dubbed “BeaverTail” is embedded in packages that mimic legitimate JavaScript libraries and targets cryptocurrency wallets, specifically Solana and Exodus.

The researchers said that “the tactics, techniques, and procedures observed in this npm attack closely align with Lazarus’s known operations.”

OKX Suspends DEX

In related news, crypto exchange OKX suspended its Web3 decentralized exchange aggregator on March 17 following the detection of “a coordinated effort by Lazarus group to misuse our DeFi services.”

Following the Bybit hack, OKX rolled out a hacker address detection system for its Web3 DEX aggregator and a system to track the attacker’s latest addresses and block them in the CEX system in real-time.

Last week, Bloomberg reported that the OKX DEX aggregator was used to launder $100 million in crypto linked to Lazarus and the hack.