ZachXBT Flags $5-10B Black Market on Tron Linked to Lazarus Group Hacks

According to on-chain investigator ZachXBT, funds stolen in several recent crypto exchange hacks allegedly linked to North Korea’s Lazarus Group have been successfully laundered through illicit networks and small over-the-counter (OTC) brokers.

In a recent post on X, ZachXBT spoke about the growing scale of crypto-related crime and estimated that the so-called “Black U” market operating on the Tron blockchain may be worth between $5 billion and $10 billion.

However, much of it remains untraceable.

Is Crypto “Ripe For Abuse”?

He pointed to attacks on platforms such as Bybit, DMM Bitcoin, and WazirX, where stolen assets were laundered “with ease,” and added that laundering groups have “seemingly won the battle” over enforcement.

The investigator further criticized protocol teams that continue to earn fees while turning a blind eye to illicit activity, and noted that over 50% of some protocols’ usage may stem from stolen funds.

ZachXBT’s comments also reflect broader frustration over what he terms a “crime supercycle” – an era marked by minimal accountability. He cited a surge in abuse following the launch of meme coins by politicians and the dismissal of key court cases, which has allowed malicious actors to operate with little fear of repercussions.

With influencers scamming followers and courts siding with smart contract exploiters, he warns that without meaningful enforcement or public pressure, the long-term consequences for the crypto ecosystem could be severe.

“Can we fix the system if the vast majority of people still do not care unless they lose money? It’s concerning about what the long term ramifications may be even if these decisions benefit us in the short term. If you ever wanted the opportunity to extract from the industry there’s not been much of a better time. Take a chance what’s the worst thing that could happen if everyone’s already doing it?”

Lazarus Group’s Latest Trap

Lazarus Group was recently reported to have been shifting its social engineering tactics, now targeting centralized finance (CeFi) job seekers with a new malware campaign dubbed “ClickFix,” according to a recent report by cybersecurity firm Sekoia.

Unlike previous attacks on developers, this method zeroes in on non-technical professionals by impersonating major crypto firms like Coinbase and Tether. Victims are tricked into running PowerShell commands to “fix” fake webcam issues during interviews, unknowingly installing malware.

With 184 fake invitations referencing 14 companies, this strategy marks a disturbing evolution in Lazarus’s targeting and psychological manipulation techniques within the crypto sector.