The suspension, announced on March 17, 2025, coincides with heightened regulatory scrutiny and efforts to enhance platform security.
The Lazarus Group, notorious for state-backed cyberattacks, stole $1.4 billion in Ethereum from Bybit in February 2025.
The hackers later converted a substantial portion of the stolen assets into Bitcoin, with blockchain analysis revealing that $100 million was laundered through OKX’s Web3 DEX aggregator.
This tool, designed to route trades across multiple DEXs for optimal pricing, was mistakenly flagged by blockchain explorers as the direct platform executing transactions, rather than the underlying DEXs.
Bybit CEO Ben Zhou confirmed the laundering route, stating that OKX’s aggregator played a critical role in moving funds through decentralized protocols like THORChain and ExCH.
European regulators, including the European Securities and Markets Authority (ESMA), have launched investigations into whether OKX’s DEX aggregator violates the Markets in Crypto-Assets (MiCA) regulatory framework.
The exchange faces potential penalties for allegedly failing to prevent misuse of its platform. OKX has denied direct custodial responsibility, emphasizing that its aggregator merely aggregates liquidity without holding user assets.
However, critics argue that the lack of clear labeling on blockchain explorers obscured the true DEXs involved in transactions, enabling Lazarus to obscure the fund trail.
In response to the allegations, OKX has implemented real-time hacker address detection systems to block malicious actors on its centralized exchange (CEX) and DEX aggregator.
The platform also introduced IP blocking for prohibited markets and collaborated with blockchain explorers to correct transaction labeling inaccuracies.
The incident underscores the vulnerabilities of self-custodial wallets and DEX aggregators in enabling large-scale laundering.
While OKX maintains that its Web3 service is not a custodial entity, the case highlights gaps in anti-money laundering (AML) protocols and the need for stricter Know Your Customer (KYC) enforcement across decentralized platforms.
The Lazarus Group’s use of chain-hopping (converting assets across blockchains) and privacy mixers further complicates tracking, with only 3% of the stolen funds frozen to date.
As global regulators grapple with crypto’s decentralized nature, exchanges like OKX face intensified pressure to balance innovation with compliance.
The suspension of its DEX aggregator marks a rare preemptive step, though critics argue it may be too late. Meanwhile, Bybit’s $140 million bounty program to recover stolen funds has yielded limited success, with most assets still circulating anonymously.
For OKX, the next steps will hinge on restoring trust while navigating the regulatory minefield of MiCA and similar frameworks.
This incident serves as a stark reminder of the cat-and-mouse dynamics in crypto security, where sophisticated adversaries like Lazarus exploit technical loopholes to evade detection.
As exchanges like OKX refine their defenses, the broader industry must address systemic vulnerabilities in DEXs and aggregators to prevent future misuse.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post Crypto Exchange OKX Suspends Tool Used by North Korean Hackers to Steal Funds appeared first on Cyber Security News.
John Abbamondi had orders to let the CEO of Ticketmaster down easy. In April 2021,…
A screenshot of the Call of Duty footage in the White House’s video. On Wednesday,…
Samsung's newest smartphones - the Galaxy S26, S26+, and S26 Ultra - were recently announced…
Amazon just launched a Lightning deal that drops the price of the Hasbro Transformers Studio…
Trump summoned tech leaders to the White House on Wednesday, March 4, 2026 to sign…
Epic CEO Tim Sweeney might be one of the most outspoken people in the history…
This website uses cookies.