money-laundering

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor, also tracked as APT38, TraderTraitor, BlueNorOff, Hidden Cobra, and ZINC, operating under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Active since approximately 2009, the group has stolen an estimated $6.75 billion in cryptocurrency through targeted attacks on exchanges, bridges, and blockchain companies, using stolen funds to finance North Korea's weapons programs and circumvent international sanctions. The U.S. Department of Justice has indicted three named members, and OFAC placed the group on the Specially Designated Nationals (SDN) list in April 2022.

Tornado Cash is a decentralized, non-custodial cryptocurrency mixing protocol deployed on Ethereum in December 2019, co-founded by Roman Storm, Roman Semenov, and Alexey Pertsev. It was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in August 2022 for allegedly laundering over $7 billion in virtual currency, including hundreds of millions stolen by North Korea's Lazarus Group; the sanctions were later lifted in March 2025 following a Fifth Circuit ruling that immutable smart contracts do not constitute sanctionable 'property' under IEEPA. All three co-founders face or have faced criminal proceedings: Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months in prison, Storm was convicted on one of three counts in the U.S. in August 2025, and Semenov remains at large.

Pink Drainer was a Drainer-as-a-Service (DaaS) phishing toolkit that operated from approximately July 2023 to May 2024, facilitating the theft of over $85.3 million in cryptocurrency from more than 21,000 victims across Ethereum and other networks. The operators ran the service by licensing a sophisticated wallet-draining script to affiliate phishers for a 20-30% cut of stolen proceeds, then announced a voluntary shutdown on May 17, 2024, citing their goal as 'accomplished.'

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.