Garden Finance suffered a $10.8 million attack, and ZachXBT revealed that 25% of historical volume involves stolen funds.

Garden Finance suffered an attack across multiple blockchain networks, resulting in losses exceeding $10.8 million. On-chain detective ZachXBT revealed that more than 25% of the platform's historical transaction activity involved stolen funds, bringing further scrutiny to this Bitcoin cross-chain bridge, which has already faced allegations of aiding North Korean money laundering. Although the Garden team has offered a 10% white-hat bounty to the attackers, the company has yet to make a public statement, and the attackers have swiftly converted all frozen assets.

Before the Security Vulnerability: The platform was accused of profiting from illegal funds

A few days before the security vulnerability occurred, ZachXBT publicly criticized Garden Finance for ignoring victims seeking a refund of fees, as the platform handled funds from major hacking incidents such as the CEX attack and the Swissborg incident.

• Proportion of Illegal Funds: Investigators estimate that over a quarter of the total transaction volume of Garden Finance comes from illegal sources, with the platform earning a six-figure profit from these flows alone between April and July of 2025.
• Amplifying Money Laundering Risks: ZachXBT criticized Garden co-founder Jaz Gulati for raising the exchange limit to 10 BTC earlier this year, which created conditions for illegal entities to engage in large-scale abuse, while the team remained silent about returning the profits obtained from these transactions.

Uncovering the Dark History of Garden Finance: Ren Protocol's “Successor”

According to a detailed investigation on X, Garden Finance is considered the successor to Ren Protocol, which was originally established in Australia in 2017. The network has been embroiled in money laundering controversies for years.

• Historical Development:
  • 2017: Originally established as Republic Protocol, it raised 67 million dollars through ICO and venture capital.
  • 2020: Renamed to Ren Protocol, launched RenVM, facilitating over $13 billion in Bitcoin transactions through cross-chain bridges during the DeFi boom.
  • End of 2022: The FTX collapse led to the closure of Ren, leaving $12 million of user Bitcoin assets stranded.
  • 2023: Former Ren developers launched Garden Finance, claiming to provide “next-generation Bitcoin transfers” through atomic swaps.
• Money Laundering Infrastructure: Blockchain intelligence firm Elliptic reports that Ren Protocol processed over $540 million in illegal funds between 2020 and 2025, which were used by ransomware organizations such as Conti and Ryuk, as well as North Korea's Lazarus Group.

North Korean Hackers Dominate Platform Activities: Money Laundering Path Emerges

There is evidence that over 75% of the total transaction volume of Garden comes from stolen funds.

• Lazarus Group Suspicions: Within 48 hours of the Bybit $1.4 billion attack incident, $160 million in funds flowed through the platform, with Garden earning over $300,000 in fees from this traffic.
• Centralized Control: Despite claiming to be decentralized, liquidity is controlled by a single dominant node, which is contrary to the facts.
• Money Laundering Route: The money laundering model follows a consistent path: stolen Ethereum is exchanged for Bitcoin via Garden on the Arbitrum or Base network, then mixed through the mainstream CEX's cbBTC, and finally cross-chain to Solana for the final exit.
• Government Weapon Funds: North Korean hackers stole over 1.3 billion dollars through 47 incidents in 2024, and 2.2 billion dollars in just the first half of 2025. These funds were used to finance the regime's weapon programs through a complex money laundering network.

Conclusion

The security vulnerabilities of Garden Finance and the subsequent exposure of its on-chain black history have not only dealt a severe blow to its operations but also sounded the alarm for cross-chain bridge security and Anti-Money Laundering (AML) compliance once again. A platform that claims to be committed to decentralization and security is accused of profiting from large-scale illegal activities while being aware of it and potentially providing a channel for funding to North Korean hackers, undoubtedly harming the reputation of the entire DeFi industry. With tightening regulations, the future of such platforms faces immense uncertainty and legal risks.