Crypto Exchange OKX Suspends Tool Used by North Korean Hackers to Steal Funds

Cryptocurrency exchange OKX has temporarily suspended its decentralized exchange (DEX) aggregator service following allegations that North Korea’s state-sponsored Lazarus Group exploited it to launder funds stolen from the recent Bybit hack. 

The suspension, announced on March 17, 2025, coincides with heightened regulatory scrutiny and efforts to enhance platform security.

The Lazarus Group, notorious for state-backed cyberattacks, stole $1.4 billion in Ethereum from Bybit in February 2025. 

The hackers later converted a substantial portion of the stolen assets into Bitcoin, with blockchain analysis revealing that $100 million was laundered through OKX’s Web3 DEX aggregator.

Bybit Hack and Lazarus Group’s Involvement

This tool, designed to route trades across multiple DEXs for optimal pricing, was mistakenly flagged by blockchain explorers as the direct platform executing transactions, rather than the underlying DEXs. 

Bybit CEO Ben Zhou confirmed the laundering route, stating that OKX’s aggregator played a critical role in moving funds through decentralized protocols like THORChain and ExCH.

European regulators, including the European Securities and Markets Authority (ESMA), have launched investigations into whether OKX’s DEX aggregator violates the Markets in Crypto-Assets (MiCA) regulatory framework. 

The exchange faces potential penalties for allegedly failing to prevent misuse of its platform. OKX has denied direct custodial responsibility, emphasizing that its aggregator merely aggregates liquidity without holding user assets. 

However, critics argue that the lack of clear labeling on blockchain explorers obscured the true DEXs involved in transactions, enabling Lazarus to obscure the fund trail.

Security Upgrades

In response to the allegations, OKX has implemented real-time hacker address detection systems to block malicious actors on its centralized exchange (CEX) and DEX aggregator.

The platform also introduced IP blocking for prohibited markets and collaborated with blockchain explorers to correct transaction labeling inaccuracies. 

The incident underscores the vulnerabilities of self-custodial wallets and DEX aggregators in enabling large-scale laundering. 

While OKX maintains that its Web3 service is not a custodial entity, the case highlights gaps in anti-money laundering (AML) protocols and the need for stricter Know Your Customer (KYC) enforcement across decentralized platforms. 

The Lazarus Group’s use of chain-hopping (converting assets across blockchains) and privacy mixers further complicates tracking, with only 3% of the stolen funds frozen to date.

As global regulators grapple with crypto’s decentralized nature, exchanges like OKX face intensified pressure to balance innovation with compliance. 

The suspension of its DEX aggregator marks a rare preemptive step, though critics argue it may be too late. Meanwhile, Bybit’s $140 million bounty program to recover stolen funds has yielded limited success, with most assets still circulating anonymously. 

For OKX, the next steps will hinge on restoring trust while navigating the regulatory minefield of MiCA and similar frameworks.

This incident serves as a stark reminder of the cat-and-mouse dynamics in crypto security, where sophisticated adversaries like Lazarus exploit technical loopholes to evade detection. 

As exchanges like OKX refine their defenses, the broader industry must address systemic vulnerabilities in DEXs and aggregators to prevent future misuse.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.