How DPRK Hackers Use Cross-Chain Bridges to Launder Crypto

Cross-chain crypto laundering by DPRK hackers is an advanced money‑shrouding technique where North Korean cyber actors move stolen digital cash through multiple blockchain networks to hide its origin. The method leans on interoperable bridge services, rapid swaps, and automated scripts that flood analysts with thousands of transactions per minute. Understanding how the regime pulls this off helps exchanges, investigators, and everyday users spot warning signs before the cash disappears into the dark.

Who’s behind the operation?

The mastermind group is known as the Lazarus Group, a subdivision of the DPRK’s Reconnaissance General Bureau. Different teams - often called TraderTraitor or the 3rd Bureau - launch the hacks, steal the crypto, and then hand the loot over to a laundering unit that specializes in cross‑chain hopping. In February 2025 the group stole over $1.5billion from the crypto exchange Bybit, setting a new record for a single crypto heist.

Why cross‑chain bridges matter

The cross-chain crypto laundering trend began when analysts noticed a sharp rise in traffic through bridge services such as Ren Bridge and Avalanche Bridge. Unlike traditional mixers that keep the same asset on a single chain, bridges let hackers swap Bitcoin for Ether, then flash‑swap to Tron, BTTC, or even obscure chains that receive little scrutiny from analytics firms. By marching the loot across three or more blockchains in seconds, the thieves break the chain of custody and force investigators to chase a moving target.

Step‑by‑step: the typical laundering flow

1. Initial breach - a phishing lure or exploit drains wallets on Ethereum, Bitcoin, or other high‑value chains.
2. Rapid aggregation - stolen tokens are pooled into freshly generated addresses controlled by the attackers.
3. Bridge hopping - the pool is sent through a bridge (e.g., Ren Bridge) to another chain, often converting ERC‑20 tokens to native Ether.
4. Decentralized exchange (DEX) swaps - on the new chain the assets are swapped for a more liquid token (usually Bitcoin or USDT) using platforms like Uniswap, PancakeSwap, or Raydium.
5. Obscure‑chain bounce - a portion lands on low‑visibility networks (e.g., BTTC, Solana) where on‑chain analysis coverage is thin.
6. Refund address reset - the funds are redirected to a brand‑new address, breaking the transaction graph.
7. OTC or exchange off‑ramp - the final BTC or stablecoin batch is sold over the counter or deposited on a centralized exchange under false identities.

This chain‑hopping loop can repeat dozens of times, creating a “flood the zone” effect that overwhelms compliance tools. According to TRM Labs, the Bybit breach alone generated over 9,500BTC moves via Avalanche Bridge within a 48‑hour window.

From mixers to bridges: a shifting landscape

Before 2022 the Lazarus Group relied heavily on mixers like Sinbad, YoMix, Wasabi Wallet, and CryptoMixer. After global crackdowns on mixers (notably Tornado Cash), the group pivoted to cross‑chain routes. Elliptic reported a 111% surge in funds processed through bridge services after the shift. The move reflects two key advantages:

• Speed - Bridges settle in seconds, outpacing manual mixing cycles that can take days.
• Volume - High‑frequency swaps flood analytics dashboards, making it harder to spot a single illicit flow.

Traditional mixers still appear in the workflow, but only as a final “clean‑up” step after the bulk of the laundering has already taken place on multiple chains.

How investigators fight back

Blockchain forensics firms have responded with cross‑chain tracing tools. TRM Labs launched TRM Phoenix in 2022, automatically linking transactions across bridges. Chainalysis now incorporates bridge‑specific heuristics in its 2025 Crypto Crime Report. These platforms pull together on‑chain data, open‑source intelligence, and proprietary threat feeds to generate visual graphs that show the full laundering pipeline.

Law‑enforcement agencies also play a role. The FBI issued advisories in August 2023 urging exchanges to freeze wallets linked to known Lazarus addresses. The UN has called the activity a direct financing source for the DPRK’s weapons programs, prompting member states to strengthen sanctions on crypto‑related entities.

Comparison: Traditional Mixers vs Cross‑Chain Bridge Laundering

Economic & geopolitical impact

The scale is staggering: $660.5million stolen in 2023, $1.34billion in 2024, and over $2billion in 2025 according to multiple analytics firms. A senior Biden administration official warned that roughly half of North Korea’s foreign‑currency earnings now come from cyber‑crime, with crypto theft being the fastest‑growing slice. The United Nations has linked these revenues directly to the regime’s missile and nuclear programs, turning crypto laundering into a matter of global security rather than a niche crime.

Future outlook: what to expect

Analysts see three trends shaping the next wave of DPRK laundering:

1. More human‑targeted attacks - Phishing, fake job offers, and deep‑fake social engineering will replace many technical exploits, expanding the pool of vulnerable high‑net‑worth individuals.
2. Obscure‑chain diversification - Hackers will experiment with emerging Layer‑2 solutions and niche networks where analytics coverage is still thin.
3. Automated “flood‑the‑zone” bots - AI‑driven scripts will generate thousands of micro‑transactions per second, making real‑time detection almost impossible without dedicated cross‑chain monitoring.

Staying ahead means that exchanges, custodians, and regulators must invest in cross‑chain forensic tools, share address intelligence quickly, and enforce strict KYC/AML checks on bridge‑related activity.