OKX has restarted its decentralized exchange aggregator, OKX Web3, with security updates following a March 17 shutdown. The pause aimed to stop the Lazarus Group from misusing the platform. This North Korean hacker group had allegedly used the DEX to move stolen assets.
On May 4, OKX CEO Star Xu announced the return of OKX Web3. He confirmed that the platform now includes a real-time abuse detection system to identify and block suspicious activity. OKX stated,
“Our dynamic database of suspect addresses blocks hackers and bad actors real-time, while proactive alerts warn you about risky transactions.”
OKX Web3 serves as a DEX aggregator. It collects data from multiple decentralized exchanges and market makers to help users trade. Xu described it as “a browser and search engine for blockchain.”
OKX Web3 Adds Hacker Wallet Tracking and Wallet Labels
OKX Web3 now includes a system that identifies hacker-linked addresses and stops transactions in real-time. The upgrade adds wallet labels that categorize holders as whales or snipers. These tags allow users to understand transaction patterns on the blockchain.
The exchange said it worked with blockchain security firms CertiK, Hacken, and SlowMist to audit the system. It also said that its tools were tested under a bug bounty program. These audits covered the infrastructure behind OKX Web3 and its real-time abuse detection.
The upgrade follows OKX’s earlier announcement in March that it was developing hacker wallet tracking systems. The company said this system would help block bad actors by monitoring changes in wallet addresses over time.
EU Investigation Linked to OKX Web3 and Bybit Hack
The Lazarus Group’s misuse of decentralized tools brought more scrutiny to OKX. On March 11, Bloomberg reported that European Union financial regulators had opened an investigation. It focused on the role of OKX’s DEX aggregator and self-custody wallet in the laundering of stolen funds from the February 2025 Bybit hack, which totaled $1.4 billion.
OKX responded that same day. It said the Bloomberg report was incorrect, stating,
“The self-custody wallet service swap feature serves as an aggregator and is not a custodian of customer assets.”
The company emphasized that it does not hold user funds and only provides access to decentralized tools
.The investigation has not resulted in any public action, but it placed additional pressure on OKX Web3 to improve compliance and monitoring. The updated real-time abuse detection and hacker wallet tracking tools were introduced weeks after the report.
Other Platforms Also Affected by Lazarus Group’s Activity
The Lazarus Group’s actions also impacted other crypto platforms. On May 1, crypto exchange eXch shut down. Reports linked it to funds laundered from the Bybit hack. Initially, eXch denied the connection. However, it later admitted to processing some of the stolen digital assets.
This follows a broader trend of platforms facing consequences after exposure to hacks tied to Lazarus. OKX Web3’s shutdown and recent relaunch with upgraded tools show the growing response to these threats.
Moreover, the OKX DEX aggregator now uses a mix of real-time abuse detection, wallet tagging, and hacker wallet tracking to manage onchain risks. These changes aim to keep the platform functional while reducing exposure to criminal activity.
