OKX halts DEX aggregator after detecting North Korean Lazarus Group attack
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
On March 17, the OKX DEX aggregator was temporarily suspended in a bid to improve security and address incomplete blockchain tagging on explorers. The exchange stated that this decision was also influenced by recent media criticism and unsuccessful attempts by the North Korean Lazarus Group to exploit its DeFi services for illicit activities.
OKX Wallet Service Remains Available
In a detailed blog post, OKX explained that its decision to suspend its DEX aggregator services was made after consultation with regulators.
OKX DEX Aggregator is a service that connects users to multiple decentralized exchanges (DEXs) to find the best token swap rates across different liquidity sources.
Despite the suspension, OKX Wallet remains fully accessible to all customers. However, the company noted that it will temporarily pause new wallet creation in certain markets during this period.
We are temporarily pausing our DEX aggregator to address incomplete tagging on blockchain explorers while we also roll out new security features. This is to address the recent coordinated attacks by media along with unsuccessful efforts by Lazarus group to misuse our DeFi… pic.twitter.com/r6oHNIaalT
— OKX (@okx) March 17, 2025
The latest decision comes amid increasing scrutiny, as OKX faces connections to the Bybit attack, a reported ongoing EU investigation, and widespread media criticism.
The controversy began on March 4 when Bybit CEO Ben Zhou alleged that approximately $100 million of the $1.5 billion stolen in the Bybit attack had been laundered through OKX’s DEX aggregator, known as OKX Web3.
Tensions escalated further on March 11 when Bloomberg reported that European Union financial regulators were investigating OKX’s DEX aggregator and wallet services for their alleged role in laundering funds from the Bybit attack.
This revelation fueled media scrutiny, with OKX facing accusations of facilitating illicit transactions by not implementing adequate safeguards.
In a swift response, OKX stated that the Bloomberg article was misleading. The exchange clarified that when the Bybit hack occurred, it took immediate action by freezing associated funds from entering its centralized exchange (CEX) and developing advanced hack detection tools to strengthen security.
The Bloomberg article is misleading. Like all other major crypto exchanges, OKX provides a self-custody wallet service/swap feature that serves as an aggregator to create efficiency for the users. When Bybit got hacked, we reacted in two ways. (1) We froze associated funds moving… https://t.co/HUUmA8W2eq
— OKX (@okx) March 11, 2025
Additionally, OKX dismissed the EU investigation reports, asserting that there is no official inquiry into its operations.
Furthermore, it highlighted that its DEX aggregator and wallet services function similarly to other industry players, with no additional exposure to illicit activities.
More Security Updates Coming to OKX DEX Aggregator
The blog announcement also detailed that a hacker address detection system has been deployed for OKX DEX Aggregator to track hackers’ latest addresses and block them in real-time on its centralized exchange.
The firm also clarified that the OKX DEX Aggregator is not a custodian of customer assets. Instead, it functions as a gateway, providing access to liquidity across multiple decentralized protocols.
While OKX has taken steps to debunk false claims and reinforce security, the bigger threat remains the Lazarus Group.
This North Korean state-backed hacking group has been linked to numerous cybercrimes targeting the crypto industry. Its evolving tactics pose a persistent danger to exchanges and traders worldwide.
Recent reports highlight yet another attack attempt. At least three crypto founders blocked hacking attempts that were carried out through fake Zoom calls. The hackers posed as legitimate business contacts, tricking victims into downloading malware.
Once installed, the malware covertly seized control of their computers, granting the hackers access to sensitive data, including crypto wallets and private keys.
