Lazarus Moves $175M in ETH After Arbitrum Freezes $71M

On April 18 attackers exploited KelpDAO’s bridge and withdrew approximately 116,500 rsETH, equal to about 18% of the protocol’s circulating rsETH. Investigators say the operation used compromised verification infrastructure to forge a cross-chain withdrawal message.

According to technical reports, attackers gained control of two RPC nodes and installed malware that fed false transaction data to LayerZero’s Decentralized Verifier Network while leaving data for other observers unchanged. A distributed denial-of-service attack then targeted remaining clean nodes, forcing the bridge to fail over to the compromised feeds and allowing the withdrawal to be authorized.

On April 20 the Arbitrum Security Council froze roughly 30,766 ETH, about $71 million, linked to the exploiter’s addresses. After that freeze, the attackers moved an estimated $175 million in ETH to new Ethereum addresses where blockchain trackers continued to follow the funds.

Security analysts tracing the proceeds reported laundering activity across cross-chain services and privacy tools, including swaps through Thorchain and transfers through Umbra Cash. The pattern included chain-hopping, decentralized exchange swaps, splitting funds across many wallets and routing assets through intermediary services before converting them to other currencies.

The KelpDAO incident is the second major attack attributed to the same group within three weeks. On April 1 an operation linked to the same actors drained about $285 million from Drift Protocol. Combined, the two incidents account for nearly $600 million in losses.

U.S. authorities and other agencies have linked Lazarus to multiple large-scale crypto thefts in recent years, including an early-2025 theft of about $1.5 billion from an exchange and the 2022 Ronin bridge exploit of roughly $620 million. The U.S. Department of Justice has brought charges in past cases and the Treasury’s Office of Foreign Assets Control has sanctioned addresses tied to North Korea-linked cyber activity. The FBI has issued advisories with on-chain identifiers for exchanges and validators to block.

Researchers say the group typically spends months preparing attacks, using techniques such as spear-phishing, malicious code in public repositories, fake recruitment messages and compromises of developer or validator environments to harvest keys. In response to repeated bridge exploits, analysts recommend measures including multi-signature controls, independent auditing of RPC nodes and real-time monitoring of verification feeds.

Some analyses estimate proceeds from DPRK-linked cryptocurrency thefts amount to a significant share of North Korea’s economy, with a cited figure near 13% of GDP in certain studies.