Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds

The Seychelles-based cryptocurrency exchange OKX is temporarily shutting down a popular tool after discovering North Korean hackers were attempting to use it to launder funds stolen from other platforms.

OKX published a notice on Sunday claiming it had detected a coordinated effort by the Lazarus Group, one of North Korea’s most prolific hacking outfits, to misuse its decentralized finance (DeFi) services.

“After consulting with regulators, we made the proactive decision to temporarily suspend our [decentralized exchange] aggregator services,” the company said. “This move allows us to implement additional upgrades to prevent further misuse.”

In another message on social media, the company claimed the efforts by Lazarus Group had been “unsuccessful.”

The action comes one week after Bloomberg reported that European regulators were looking into the platform’s compliance with EU rules.

Last month, more than $1.4 billion was stolen by North Korean hackers from crypto platform Bybit, and Bybit’s CEO recently said about $100 million of the stolen funds has been laundered through OKX, making it difficult for law enforcement to trace and claw it back. 

Other crypto platforms have previously said hackers use OKX to launder stolen funds, and last month the company pleaded guilty to one count of operating an unlicensed money transmitting business following charges issued by the U.S. Justice Department. 

FBI Assistant Director in Charge James Dennehy said the platform, which paid a penalty of more than $504 million, had “flagrantly violated U.S. law.” 

“Furthermore, in their failure to adhere to U.S. law, significant illicit transactions which furthered other criminal activity went undetected on their platform,” Dennehy added. 

In its message on Sunday, OKX criticized “targeted media attacks” that questioned their “integrity and operations.” They said they could no longer “ignore the fact that these attacks are happening at a time when we are actively fighting against financial crime.”

“We know that transparency is key, so we're also working closely with blockchain explorers to correct incomplete labeling. Our goal is to ensure that explorers properly highlight the actual [decentralized exchange] processing trades rather than mistakenly identifying our aggregator as the point of trade,” they explained. 

OKX added that it is rolling out systems that detect blockchain addresses attributed to hackers and block them. 

The company also criticized Bloomberg’s reporting, arguing that it freezes illicit funds moving into its platform. 

OKX also slammed Bybit for accusing the platform of being involved in the laundering effort. In messages to CoinDesk, a spokesperson for the platform said OKX’s tool is simply an aggregator that finds the best price to execute trades before the final trade is conducted on another platform. 

The North Korean hackers behind the Bybit theft have quickly laundered large chunks of the stolen funds, highlighting the skill of the threat actors and the continued lack of controls in the cryptocurrency space. 

The FBI urged private sector entities like OKX to “to block transactions with or derived from addresses … actors are using to launder the stolen assets.”

But the law enforcement agency acknowledged that the hackers “are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains.” 

“It is expected these assets will be further laundered and eventually converted to fiat currency,” the FBI said in an alert.

North Korea’s Lazarus Group has stolen billions worth of cryptocurrency over the last nine years, with blockchain monitoring firm Chainalysis saying hacking groups connected to North Korea’s government stole $1.34 billion worth of cryptocurrency across 47 incidents in 2024.