What to know:
- Lazarus Group rapidly moves stolen funds using advanced cross-chain laundering strategies
- THORChain dominates flows as crypto bridge laundering accelerates after major exploit
- DeFi security concerns grow as laundering exposes systemic cross-chain vulnerabilities
Lazarus Group launched crypto bridge laundering after stealing $290 million in rsETH on April 22, 2026. Within hours, funds began moving rapidly across multiple blockchain networks.
Early on-chain data shows the operation relied heavily on LayerZero and cross-chain bridges. Investigators linked the activity to previous Lazarus Group hack patterns involving fund commingling.
Patterns Indicate A Coordinated Money Laundering Operation
Specter, an on-chain analyst, reported that there were over 1,600 transactions (from approximately 370 unique wallets) completed in less than 12 hours. That equates to roughly one transaction per 25 seconds at peak crypto bridge laundering levels.
At this point, according to Specter’s research, approximately $116 million worth of cryptocurrency has been transferred into Bitcoin through these various routes. An additional $61 million remains in wallets waiting to be laundered.
Due to the rapid nature of crypto bridge laundering, the operation scales after a hacker gains access to an enormous amount of cryptocurrency. Cross-chain routing is extremely difficult for monitoring tools and enforcement frameworks globally.
Also Read | Aave Sees $15.1 Billion Withdrawals After rsETH Event Triggers DeFi Shift Liquidity
THORChain Activity Dominates Fund Flows
Specter reports that he believes that approximately 99% of all the stolen funds flowed through THORChain laundering channels. During this time period, THORChain also reportedly paid out over $100,000 in affiliate fees for services rendered.
THORChain maintains that its system is permissionless and censorship-resistant. However, recent activity raises questions about the system’s accountability.
Analysts and critics believe the THORChain system enables large cryptocurrency transfers. They argue it allows hackers to move funds without being stopped by authorities.
Different Reactions To The Recent Illicit Flow
Umbra, a privacy-focused platform, confirmed that $800,000 worth of Ethereum (ETH) had passed through its system. It restricted user access via its front-end interface.
However, the firm emphasized that since it uses immutable smart contracts, it could do nothing as the illicit funds continued to flow. The ongoing ability of hackers to exploit vulnerabilities in DeFi systems highlights existing problems with governance and enforcement within this ecosystem.
Continued Exploit Incidents Increase Focus On DeFi Security Issues
The recent exploitation of the rsETH protocol contributed to a loss of more than $500 million in the DeFi space so far this month. Numerous other phishing attacks are still targeting individuals throughout many blockchain-based ecosystems.
Within just 11 hours, four separate victims each lost nearly $150,000 when a single malicious “drain” contract was utilized. Improvements have been made to monitoring and recovery processes, security-related events continue to occur.
Also Read | LayerZero (ZRO) Holds $1.82 as Breakout Nears $3 Zone
Be the first to comment