OKX Suspends DEX Aggregator After North Korean Hackers Launder Millions

OKX has taken swift action by suspending its decentralized exchange aggregator after reports tied it to the notorious Lazarus Group from North Korea. This comes as regulators and crypto users demand tighter security and transparency across the industry.

How Lazarus Group Exploited the Platform

OKX’s decision follows revelations that the Lazarus Group laundered millions in stolen crypto through the DEX aggregator. The group, known for its state-sponsored cyberattacks, allegedly siphoned off $1.4 billion in Ethereum from Bybit in February 2025. A chunk of this, around $100 million, was later funneled through OKX’s tool and converted into Bitcoin.

Bybit’s CEO confirmed the laundering path, stating that the aggregator inadvertently became a key player in routing stolen funds via platforms like THORChain and ExCH. Due to how blockchain explorers label transactions, OKX’s aggregator appeared to be the main executor, masking the actual DEXs handling the trades. This allowed the hackers to fly under the radar longer than expected, highlighting a critical flaw in how transaction trails are tracked across decentralized platforms.

OKX’s Response: Security Upgrades and Suspensions

In response, OKX immediately paused the DEX aggregator, citing incomplete tagging and the urgent need for upgrades. The exchange emphasized that its aggregator never had custody of the funds but agreed that better labeling and transparency were necessary.

“We’re halting the DEX aggregator temporarily to improve transaction tagging and roll out enhanced security features,” OKX stated on social media. “Our goal is to protect our users and prevent misuse of our services.”

The platform also implemented real-time hacker address detection and IP blocking for sanctioned markets. In addition, OKX began working with blockchain explorers to ensure clearer, more accurate labeling of transactions—preventing future misuse. These upgrades are aimed at strengthening the aggregator’s defenses and restoring user confidence in OKX’s services.

Regulators Step In

The case quickly caught the attention of European authorities, with the European Securities and Markets Authority (ESMA) investigating possible violations of the new MiCA (Markets in Crypto-Assets) regulations. If found non-compliant, OKX could face significant penalties.

Critics argue that the design of DEX aggregators and self-custodial wallets naturally makes them vulnerable to exploitation. Without strong Know Your Customer (KYC) and Anti-Money Laundering (AML) measures, bad actors like Lazarus Group can easily route stolen assets, mixing and swapping them across chains to evade detection.

To date, only 3% of the stolen funds have been recovered, with most still circulating across various blockchains. Bybit’s $140 million bounty program has also struggled to achieve meaningful results, showing how difficult it is to recover assets once they’re laundered through decentralized systems.

A Wake-Up Call for the Industry

This incident serves as a harsh reminder of the challenges facing decentralized finance platforms. While OKX took swift action, the episode exposed systemic vulnerabilities within DEX aggregators that regulators and the industry can no longer ignore.

Moving forward, OKX’s ability to rebuild trust will depend on its commitment to transparency and compliance. As global regulations tighten, balancing innovation with security will be critical for exchanges and DeFi platforms alike. The entire crypto industry is now under pressure to refine AML protocols, enhance oversight, and plug these growing loopholes, before another Lazarus-style attack strikes again.