North Korea’s Lazarus Group Behind $3.2M Crypto Scam as NFT Exploits Mount
North Korea’s notorious Lazarus Group is once again under the spotlight after a new wave of cyberattacks targeting the crypto industry. The hacking group, known for its sophisticated tactics and links to the Pyongyang regime, has been tied to a $3.2 million digital asset theft and a string of NFT exploits, according to on-chain investigator ZachXBT.
1/ Multiple projects tied to Pepe creator Matt Furie & ChainSaw as well as another project Favrr were exploited in the past week which resulted in ~$1M stolen
— ZachXBT (@zachxbt) June 27, 2025
My analysis links both attacks to the same cluster of DPRK IT workers who were likely accidentally hired as developers. pic.twitter.com/85JRm5kLQO
The latest confirmed incident occurred on May 16, when a user was scammed out of $3.2 million. The attackers swiftly moved the stolen assets from Solana to Ethereum and funneled 800 ETH through Tornado Cash, a blockchain mixing service often used to obscure the origins of funds. At last check, roughly $1.25 million remained in a wallet holding Ethereum and DAI, still under the hackers' control.
But this attack is just one of many. Days earlier, on June 27, ZachXBT linked Lazarus to a broader exploit campaign involving NFT projects tied to Pepe the Frog creator Matt Furie. Hackers took control of multiple NFT smart contracts—including ChainSaw and Favrr—minted fraudulent NFTs, and dumped them for quick profits. These targeted exploits, which began around June 18, netted roughly $1 million in stolen assets.
The trail of stolen crypto led to centralized exchange MEXC, where funds were reportedly converted into stablecoins across three different wallets. Investigators noted repeated transfers to a single deposit address, hinting at a broader pattern of abuse spanning several projects.
Further clues emerged from GitHub accounts connected to the operation. The profiles featured Korean-language settings and time zones consistent with activity in North Korea or adjacent regions. In one case, a developer believed to be involved in the Favrr exploit—identified as Alex Hong—had a LinkedIn profile that was recently deleted. Logs suggest Hong’s claimed U.S. location didn’t match his VPN usage or time zone data, fueling suspicion that he may be a North Korean IT worker operating under false pretenses.
“These inconsistencies raise serious red flags,” ZachXBT noted. “Why would a U.S.-based developer use Astral VPN, have Korean settings, and operate on Asia/Russia time?”
The bigger picture is alarming. According to blockchain intelligence firm TRM Labs, North Korea-linked hackers—primarily the Lazarus Group—are responsible for an estimated $1.6 billion in crypto theft this year alone. That accounts for nearly 70% of all reported stolen digital assets in 2025.