On 3 April 2026, our intelligence team observed an unusual pattern of consolidation across approximately 140 Tron wallets previously attributed to the Lazarus Group. Over the subsequent 72 hours, roughly 900 million USDT moved through a tree of intermediate wallets, eventually reaching three terminal clusters that exhibit characteristics consistent with over-the-counter (OTC) off-ramping.
The consolidation began from addresses we had previously clustered based on the Harmony Horizon Bridge exploit (June 2022), the Ronin Bridge exploit (March 2022), and the Stake.com hot wallet compromise (September 2023). Residual funds from these incidents had been held in dormant wallets for months, occasionally stirring in small amounts, but never at this scale.
The movement followed a characteristic Lazarus pattern: peeling chains of diminishing amounts, designed to obscure the total flow by breaking it into thousands of sub-transactions. Peeling chains are not new, but the speed here — an average of 2.3 hops per minute — suggests automation rather than manual operation. We observed no human-readable delays in the transaction timings.
The intermediate layer included 41 wallets that had received funds from known sanctions-designated exchanges in the DPRK's orbit. This is consistent with a model where DPRK-linked OTC desks are servicing the Lazarus Group, acting as both liquidity providers and off-ramps. Several of these intermediaries were first seen in March 2025 and have been operationally consistent since.
What's new is the terminal off-ramp. Two of the three terminal clusters resolve to wallets at an unlicensed VASP operating out of a high-risk jurisdiction. The third cluster resolves to a series of fresh Tron addresses that then bridge to Ethereum and interact with a non-compliant DEX aggregator. From there, the trail becomes harder to follow, but we have high confidence that the funds are heading for fiat off-ramp rather than further consolidation.
The compliance implications are immediate. All addresses in the intermediate and terminal clusters have been flagged across our partner network as of 5 April. We've shared the attribution set with relevant authorities. For institutional users of AMLRegister: if you have touched any of these addresses, we recommend an elevated review.
The broader pattern matters more than the individual incident. For three years, the Lazarus Group preferred Ethereum and its bridge ecosystem for laundering. Over the past twelve months, we've seen a decisive shift to Tron-based USDT, which offers lower fees, faster confirmation times, and — critically — a smaller pool of operational sanctions attribution. This mirrors the broader market migration of illicit liquidity to stablecoins on Tron.
From a technique perspective, two innovations stand out. First, the use of TVM smart-contract proxies to split flows in ways that look like normal dApp interaction rather than peeling. Second, the integration of cross-chain bridges into the laundering loop, with funds touching Ethereum, BNB Chain, and even XRP in some branches before returning to Tron for the final hops.
These tactics suggest a mature, well-resourced team with access to operational wallets across every major chain. Defence against this is not about any single attribution list; it's about risk-based scoring that considers address age, transaction velocity, counterparty distribution, and adjacency to known clusters. Our April methodology update added weights for each of these signals.
We'll continue to track this consolidation. If it proceeds as expected, we anticipate a wave of attempted fiat off-ramps across the second half of April. The implicated OTC jurisdictions have been notified through appropriate channels. For ongoing updates, subscribe to our research newsletter at the link below.
