Arkham Report Examines Lazarus Group’s Crypto Laundering Network and Evolving Attack Methods

Blockchain analytics firm on May 12, 2026, examining the on-chain footprint, laundering infrastructure, and operational tactics tied to , the North Korean state-linked hacking syndicate behind some of the largest crypto exploits in the industry.

The research tracked Lazarus-linked activity from 2017 through 2026, including exchange breaches, ransomware campaigns, bridge exploits, and decentralized finance attacks that Arkham said totaled more than $6 billion in stolen cryptocurrency.

Lazarus Group is widely believed to operate under North Korea’s Reconnaissance General Bureau and has been repeatedly tied by U.S. authorities and blockchain investigators to major cyberattacks targeting the crypto industry.

Arkham described Lazarus as “the single most financially successful cybercriminal organization in crypto history” and said North Korean-linked actors accounted for more than 70% of crypto exploit losses recorded so far in 2026.

The report also detailed how Lazarus operations evolved from malware and phishing campaigns into long-term infiltration efforts involving social engineering, fake partnerships, and cross-chain laundering infrastructure.

Arkham Traces Lazarus Laundering Flows Across Crypto Infrastructure

The report outlined how Lazarus moves stolen assets through a network of decentralized protocols, centralized exchanges, and over-the-counter brokers to obscure transaction trails before cashing out funds.

According to the research, Lazarus usually moves funds off the originally exploited chain shortly after an attack, frequently using THORChain and other cross-chain bridges to convert assets into bitcoin.

Bitcoin’s role in the laundering process is due to its UTXO model, which makes transaction tracing more difficult than on account-based EVM blockchains. It’s similar to the process of breaking large bills into thousands of smaller bills, dispersing them across countless wallets, and later recombining them during cash-out operations.

Lazarus-linked actors have also used mixers, including Sinbad.io and YoMix, to further obscure transaction trails before funds reach exchanges, brokers, or over-the-counter networks.

The report additionally mentions that Russian exchanges and Chinese OTC brokers are used as destinations in Lazarus cash-out activity.

Lazarus continues relying on cross-chain infrastructure, mixers, and fragmented wallet activity to complicate blockchain tracing efforts during the laundering process.

Drift Protocol Attack Involved Months-Long Social Engineering Operation

One section of the report focused on the April 1, 2026 exploit against Drift Protocol, which Arkham described as one of the first publicly documented Lazarus operations involving in-person interactions as an attack vector.

According to the report, North Korean proxies interacted with Drift employees throughout March 2026, including meeting employees at conferences and depositing more than $1 million to appear as legitimate counterparties and protocol partners.

After gaining the trust of the protocol team, Lazarus convinced Drift Security Council members to pre-authorize Solana transactions.

The attackers later used those pre-authorized transactions after Drift migrated its Security Council to a new 2/5 configuration without a timelock, allowing Lazarus-linked actors to drain approximately $285 million from the protocol.

The report described the operation as a significant escalation in social engineering tactics targeting crypto organizations.

KelpDAO Exploit Used Compromised RPC Nodes and Forged Messages

The research also examined the , which Arkham linked to Lazarus.

According to the report, the attackers compromised two LayerZero RPC nodes and combined false data feeds with a distributed denial-of-service attack to forge a malicious cross-chain message.

The forged message allowed Lazarus-linked actors to withdraw 116,500 rsETH valued at approximately $292 million.

Arkham said portions of the stolen funds were later moved through Umbra Cash, THORChain, and decentralized finance lending protocols as part of the laundering process.

The report added that the attack demonstrated Lazarus’ growing focus on cross-chain infrastructure and validator-related attack surfaces.

Lazarus Remains at the Center of Crypto Security Concerns

Lazarus Group is one of the most closely monitored organizations in due to the scale of its attacks and its links to the North Korean state.

Law enforcement agencies, cybersecurity researchers, and blockchain analytics firms have repeatedly connected the group to attacks involving exchanges, bridges, wallet providers, and DeFi protocols.

Arkham concluded that Lazarus continues adapting its operational methods as blockchain tracing capabilities and compliance monitoring systems become more advanced, with social engineering and cross-chain infrastructure becoming increasingly important parts of the group’s strategy.