North Korean Cybercriminals May Be Inflating Cross-Chain Metrics

• In February, North Korean hacker group Lazarus stole crypto worth around $1.5 billion from the Bybit exchange.
• An analysis of post-hack transactions suggests Lazarus deployed a technique known as chain-hopping to launder the stolen funds.
• In 2023, Elliptic estimated that as much as $7 billion had been laundered in this manner.

More than three months on from the largest crypto heist in history, the ongoing laundering of Bybit funds by North Korean hacker group Lazarus continues to shape global cryptocurrency flows.

By one estimate, hackers’ efforts to cover their trail by moving funds back and forth between blockchains could account for as much as a quarter of transaction volume on some bridges.

How Hackers Use Cross-Chain Bridges

To obfuscate the origin of illicit cryptocurrency, cybercriminals use a variety of cross-chain services, typically moving funds in rapid succession and swapping between different coins and tokens.

In 2023, Elliptic estimated that as much as $7 billion had been laundered in this manner, concluding that so-called “chain-hopping” had become the “preferred money laundering method” for cyber criminals.

Although the technique is popular among various illicit criminal groups, state-sponsored North Korean hackers have become especially adept at chain-hopping.

Even before this year’s Bybit attack, Elliptic’s research found that North Korea’s Lazarus Group was responsible for 1/7th of all cross-chain money laundering. Now, with crypto worth around $1.5 billion to cash out, Lazarus has significantly stepped up its operations.

Cross-Chain Volumes Rise

Data from DeFiLlama shows that cross-chain transaction volumes have climbed significantly in 2025 and now regularly exceed $1 billion per day.

In the week following the Bybit hack, THORChain, which has previously been implicated in Lazarus-linked money laundering, processed $4.66 billion in swaps, its highest volume of record.

A post-hack analysis by Nansen uncovered THORChain as the entity that received the most significant inflows from hacker addresses, generating over $2 billion in transaction volume from illicit transfers.

Cross-Chain DeX Aggregators Favored by Lazarus

Compared to first-generation bridges, cross-chain decentralized exchange (DeX) aggregators like THORChain that enable token swaps across different blockchain networks make it even harder to trace the flow of stolen crypto.

Other DeX aggregators implicated in Lazarus’ money laundering operation include Paraswap, DODO and Li.Fi, Nansen found.

After Li.Fi Head of Research Arjun Chand boasted that the bridge and DeX aggregator processed $3 billion worth of transactions in May, blockchain sleuth ZachXBT estimated that 15-25% of Li.Fi activity could be attributed to chain-hopping by North Korean hackers.

Responding to the charge, Chand said Li.Fi is looking into the alleged abuse of its platform, but acknowledged that “it’s incredibly challenging to eliminate [illicit usage] entirely.”