OKX Halts DEX Aggregator Following Claims of Crypto Laundering by Lazarus Group.
Cryptocurrency exchange OKX has temporarily halted its decentralized exchange (DEX) aggregator service following claims that North Korea’s state-backed Lazarus Group used it to launder stolen funds from the recent Bybit hack.
The suspension, announced on March 17, 2025, comes amid increasing regulatory scrutiny and heightened security efforts within the crypto industry.
Lazarus Group and the Bybit Hack
The Lazarus Group, known for its sophisticated cyberattacks, stole $1.4 billion in Ethereum from Bybit in February 2025. A significant portion of these funds was later converted into Bitcoin, with blockchain analysis revealing that $100 million was laundered through OKX’s Web3 DEX aggregator.
This tool, designed to optimize trades across multiple DEXs, was mistakenly flagged by blockchain explorers as the direct platform executing transactions instead of the underlying DEXs involved. Bybit CEO Ben Zhou confirmed that OKX’s aggregator played a key role in routing stolen funds through decentralized protocols like THORChain and ExCH.
Regulatory and Security Concerns
The incident has drawn attention to gaps in anti-money laundering (AML) protocols and the lack of Know Your Customer (KYC) enforcement across decentralized platforms. While OKX maintains that its Web3 service is not a custodial entity, the case underscores the risks of self-custodial wallets and DEX aggregators in facilitating large-scale money laundering.
European regulators, including the European Securities and Markets Authority (ESMA), have launched investigations into whether OKX’s DEX aggregator violated the Markets in Crypto-Assets (MiCA) framework. If found negligent, the exchange could face penalties for failing to prevent illicit activities.
OKX has denied direct custodial responsibility, arguing that its aggregator only provides liquidity routing without holding user funds. However, critics point out that poor labeling on blockchain explorers allowed Lazarus to obscure the true origins of transactions, complicating fund-tracing efforts.
Industry-Wide Challenges and Security Upgrades
The Lazarus Group’s use of chain-hopping (moving assets across blockchains) and privacy mixers has made it difficult to track and freeze the stolen funds. To date, only 3% of the laundered funds have been recovered.
In response to these allegations, OKX has introduced real-time hacker address detection systems to block malicious actors on both its centralized exchange (CEX) and DEX aggregator. The exchange has also implemented IP blocking for prohibited markets and partnered with blockchain explorers to correct transaction labeling inaccuracies.
Despite these efforts, critics argue that OKX’s decision to suspend its DEX aggregator is too little, too late. Meanwhile, Bybit’s $140 million bounty program for recovering stolen funds has seen limited success, with most assets still circulating anonymously.
The Ongoing Battle Against Crypto Laundering
This case highlights the ongoing challenges in securing decentralized finance (DeFi) platforms against state-sponsored cyber threats. Lazarus Group and similar adversaries continue to exploit loopholes in blockchain security, making it crucial for exchanges to tighten security measures and work closely with regulators.
As the crypto industry navigates increasing regulatory pressure, platforms like OKX must find a balance between innovation, security, and compliance to prevent future misuse of decentralized tools.
