Lazarus Group Linked to $305 Million DMM Bitcoin Hack as $35 Million Laundered Through Huione Guarantee

On-chain investigator ZachXBT published findings on July 14, 2024, linking North Korea’s Lazarus Group to the devastating $305 million hack of Japanese crypto exchange DMM Bitcoin, which occurred in May 2024. The revelation came as the blockchain sleuth traced approximately $35 million in stolen funds being laundered through the Cambodia-based online marketplace Huione Guarantee, exposing a sophisticated multi-chain laundering operation that highlights the persistent threat posed by state-sponsored cybercriminal groups.

The Exploit Mechanics

The original hack targeted DMM Bitcoin on May 31, 2024, resulting in the theft of 4,502.9 BTC, valued at approximately 48 billion yen, or roughly $305 million at the time of the breach. The exchange confirmed the incident shortly after, suspending withdrawals and launching an internal investigation. DMM Bitcoin subsequently raised approximately $320 million to fully compensate affected users, underscoring the severity of the attack and the exchange’s commitment to making its customers whole.

According to ZachXBT’s analysis, the laundering process employed by the attackers follows a highly structured pattern consistent with Lazarus Group operations. The stolen Bitcoin is first deposited into a cryptocurrency mixer to obscure its origin. Once mixed, the funds are bridged from the Bitcoin network to Ethereum or Avalanche using cross-chain protocols including THORChain, Threshold, and the Avalanche Bridge. On these smart contract platforms, the Bitcoin is swapped for USDT, then bridged once more to the Tron network via SWFT, before finally being transferred to Huione Guarantee wallets.

Affected Systems

The investigation revealed that the laundering operation exploited multiple decentralized infrastructure components. Cross-chain bridges, particularly THORChain and Threshold, were used to move funds between blockchains without centralized intermediaries. The Tron network served as the final transit layer due to its low transaction fees and popularity for USDT transfers. Huione Guarantee, described by blockchain analytics firm Elliptic as having received over $11 billion in crypto since 2021 across wallets linked to its operations, functioned as the cash-out destination.

Stablecoin issuer Tether responded swiftly to the unfolding situation, blacklisting $29.6 million in USDT held in a Tron-based wallet connected to Huione Guarantee. Bitrace, a Web3 investigative tool provider, confirmed that the address was frozen because it assisted malicious actors in laundering funds from criminal activities, including fraud and crypto theft. The wallet had reportedly received approximately $14 million from the DMM Bitcoin hack within just three days.

The Mitigation Strategy

The DMM Bitcoin hack and its aftermath illustrate several important defensive strategies for cryptocurrency exchanges. First, the rapid response by Tether in freezing illicit USDT demonstrates the effectiveness of real-time on-chain monitoring and collaboration between blockchain analytics firms and stablecoin issuers. Second, the investigation by ZachXBT, a independent researcher, highlights the growing role of community-driven security efforts in the crypto ecosystem.

For exchanges specifically, the incident reinforces the critical importance of cold storage solutions for the majority of customer funds, multi-signature authorization requirements for large transfers, and real-time transaction monitoring systems capable of detecting unusual withdrawal patterns. DMM Bitcoin’s ability to compensate users through a $320 million fundraising effort also speaks to the value of maintaining adequate reserves and insurance mechanisms.

Lessons Learned

North Korean hacking groups, particularly Lazarus, have been responsible for over $1.3 billion in cryptocurrency theft throughout 2024 alone. Their methods continue to evolve, leveraging increasingly sophisticated cross-chain laundering techniques that take advantage of the decentralized finance ecosystem’s infrastructure. The use of Huione Guarantee, linked to Cambodia’s ruling Hun family through the Huione Group conglomerate, reveals how certain jurisdictions have become safe havens for processing stolen digital assets.

The crypto industry must strengthen cross-chain monitoring capabilities, develop better relationships with bridge operators to flag suspicious large-value transfers, and work more closely with regulators to identify and shut down laundering pipelines before stolen funds can be converted to fiat currency.

User Action Required

Individual cryptocurrency users should take this incident as a reminder to diversify their holdings across multiple platforms rather than keeping all funds on a single exchange. Hardware wallets remain the most secure option for long-term storage of significant cryptocurrency holdings. Users should also enable all available security features on their exchange accounts, including two-factor authentication, withdrawal whitelist restrictions, and anti-phishing codes. Staying informed about exchange security incidents and promptly moving funds when concerns arise can prevent losses from future exchange breaches.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.