When the Lykke hack was first reported in June 2024, the damage seemed immediate: about 158 BTC and 2,161 ETH, worth roughly $23 million, vanished from the UK-based Lykke exchange. Withdrawals and trading were frozen, and the platform quickly spiraled into insolvency. However, the identity of the attackers remained officially unconfirmed for over a year.

Only in August 2025 did the UK Treasury’s Office of Financial Sanctions Implementation (OFSI) formally attribute the theft to North Korea’s Lazarus Group. The prolonged delay highlights the complexity of crypto laundering and why it is often slow and contentious to attribute these hacks when state-sponsored actors are involved.

The Laundering Playbook: How Lazarus Hid the Trail

The Lazarus Group is infamous for moving stolen digital assets through a web of crypto laundering channels. The Lykke case showed how sophisticated these tactics have become:

  • Token conversions: Ethereum from the hack was swapped into DAI stablecoins using decentralized finance (DeFi) protocols.
  • Wallet splitting: Bitcoin was dispersed across multiple wallets to scatter traces and break up transaction flows.
  • Crypto mixers: The group relied on services such as Tornado Cash, which remain central to their laundering strategy despite sanctions.
  • Decentralized exchanges laundering: Without a central authority, DEX platforms provided another layer of obfuscation, making forensic tracking far more difficult.

Whitestream analysts eventually reconstructed the flows. They discovered that the stolen funds had passed through entities notorious for ignoring anti-money-laundering controls. This confirmed long-held suspicions about Lazarus’ tactics.

>>> Read more: How North Korea Steals Crypto

Why Attribution Took Over a Year

Attributing a Lazarus crypto hack is not as simple as following the money. In the case of the Lykke hack, several factors dragged the process out:

  • Forensic complexity: Multi-hop transfers, cross-chain swaps, and mixer use obscured patterns that investigators had to painstakingly reconstruct.
  • International coordination: Attributing the hack required the UK Treasury to collaborate with external forensic firms and international agencies, ensuring the claim could stand up to scrutiny.
  • Independent verification: OFSI waited until Whitestream and other analysts confirmed the laundering methods before going public.
  • Skepticism in cybersecurity circles: Some experts argued the evidence was not conclusive, pushing regulators to hold off until they built a stronger case.

This caution reflects the stakes. Accusing a nation-state group like the Lazarus Group has political as well as legal consequences. It also shows why attributing these incidents remains one of the hardest challenges in digital forensics.

The Lykke exchange collapse illustrates the devastating ripple effects of crypto hacks. By March 2025, more than 70 users had filed claims totaling about £5.7 million. The courts ordered Lykke into liquidation, appointing Interpath Advisory to manage any asset recovery.

Founder Richard Olsen declared bankruptcy in January 2025 and is under criminal investigation in Switzerland related to the platform’s downfall. Customers, meanwhile, have to wait in line with little chance of full reimbursement.

Broader Implications

The Lykke case highlights the widening gap between sophisticated crypto hacks and the regulatory protections available to smaller exchanges. It underscores three key lessons:

  1. Crypto laundering tactics are evolving faster than compliance systems. Crypto mixers, token swaps, and DEXs make it harder to trace funds in real time.
  2. Attributing hacks is slow by necessity. To avoid missteps, regulators require corroboration across multiple investigative bodies.
  3. Victims often pay the price. By the time attribution is made, platforms like Lykke are already defunct, and customer losses remain unresolved.

>>> Read more: North Korea Crypto Hackers Undermine the Crypto Ecosystem

The Lykke hack shows that in the contest between crypto criminals and regulators, time favors the attacker. The Lazarus Group successfully laundered millions and avoided attribution for more than a year, buying cover through a maze of wallets, mixers, and decentralized exchanges. By the time investigators caught up, the Lykke exchange had already collapsed, destroying customer trust and wiping out the platform.

For regulators, exchanges, and users, the message is clear: securing digital assets requires not just stronger defenses. It requires faster, globally coordinated responses to hacks. Otherwise, groups like Lazarus will continue to exploit the lag between theft and accountability.

For victims, time is money — and in crypto, both can vanish overnight.

Readers’ frequently asked questions

Why do hackers like Lazarus target smaller exchanges such as Lykke?

Smaller exchanges often lack the same compliance staff and advanced security systems as large global platforms. This makes them easier targets for groups that rely on fast-moving thefts and laundering before law enforcement can react.

What happens to stolen crypto once it is laundered through mixers and DeFi platforms?

Once assets are obscured, hackers typically convert them into stablecoins or fiat via over-the-counter brokers and unregulated exchanges. These funds can then be used to finance state operations or reinvested in further illicit activity.

Can authorities freeze or recover stolen assets once attribution is made?

Authorities can issue sanctions and request wallet blacklisting through major exchanges, but recovery is rare. Once funds have been converted and moved through decentralized platforms, tracing becomes much harder and actual restitution to victims is unlikely.

What Is In It For You? Action items you might want to consider

Stay cautious when using smaller exchanges

The Lykke collapse shows how quickly a mid-tier platform can go under after a hack. If you trade or hold assets, prioritize exchanges with robust licensing and security audits.

Groups like Lazarus often recycle their laundering methods — token swaps, Tornado Cash, DEX activity. Keeping track of these patterns can help traders and analysts anticipate risk in markets exposed to suspicious flows.

Diversify custody and use self-storage options

Dependence on custodial exchanges increases exposure to hacks. Consider spreading assets across multiple platforms and using hardware or non-custodial wallets for long-term holdings.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here