How Lazarus Group became a global cybercrime threat
Lazarus Group is a persistent force in the world of cybercrime, typically associated with some of the largest cryptocurrency heists.
According to Cointelegraph, the North Korean-backed hacking group has stolen billions of dollars by targeting exchanges, deceiving developers, and bypassing even the most advanced security systems.
On February 21, 2025, the group carried out its biggest theft yet, taking $1.4 billion from the cryptocurrency exchange Bybit. Crypto investigator ZachXBT linked the attack to an $85 million hack on Phemex and additional breaches at BingX and Poloniex, further strengthening the case against Lazarus.
Since 2017, the group has siphoned an estimated $6 billion from the crypto industry, according to security firm Elliptic. A United Nations report suggests that much of this money funds North Korea’s weapons program.
The structure behind Lazarus Group
The US Treasury identifies Lazarus as being under North Korea’s Reconnaissance General Bureau (RGB), the country’s intelligence agency. The FBI has identified three suspected North Korean hackers associated with the group, also known as APT38.
In 2018, the FBI charged Park Jin Hyok with involvement in major cyberattacks such as the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware assault.
The US Department of Justice later added Jon Chang Hyok and Kim Il to its list of indicted cybercriminals, accusing them of using fraudulent cryptocurrency schemes, malware distribution, and large-scale financial theft.
The Bybit attack
Just days before the Bybit hack, North Korea’s leadership reaffirmed plans to expand its nuclear arsenal, while the US, South Korea, and Japan issued a joint statement urging denuclearization. Three days later, Lazarus executed another major breach.
Security analysts identified familiar techniques. “Within minutes of the stolen ETH moving out of Bybit’s wallet, we saw the unique fingerprint of DPRK [Democratic People’s Republic of Korea] operations,” said Fantasy, investigation lead at crypto insurance firm Fairside Network.
The hackers tricked Bybit into authorizing the transfer of 401,000 Ether ($1.4 billion) by using a fake version of its wallet management system, according to blockchain forensics firm Chainalysis. Once inside, they moved funds across multiple wallets, used decentralized exchanges and cross-chain bridges, and converted assets into Bitcoin and Dai.
One platform, eXch, was recognised as a key money laundering service, refusing to freeze stolen funds despite industry players’ involvement. The remaining assets are scattered over many addresses, a method frequently used by North Korean hackers to evade scrutiny.
Lazarus’ expanding cyber operations
North Korean hackers are accelerating their attacks. In 2024 alone, they stole $1.34 billion across 47 breaches, more than double the $660.5 million stolen in 2023, according to Chainalysis. The firm reports that private key compromises accounted for nearly 44% of all crypto hacks that year, a method Lazarus has used in heists like the $305 million DMM Bitcoin breach and the $600-million Ronin hack.
Beyond major exchange hacks, Lazarus also engages in long-term infiltration tactics, targeting companies through fake job interviews and investment scams. Microsoft Threat Intelligence has identified Sapphire Sleet, a subgroup of Lazarus (also known as Bluenoroff), as a key player in this operation.
Posing as recruiters and venture capitalists, they lure victims into downloading malware, which gives them access to cryptocurrency wallets and financial data. They reportedly took more than $10 million over the course of six months through these schemes.
IT infiltration and global cybercrime
North Korea’s cyber operations extend beyond hacking. The country has thousands of IT workers embedded in companies across Russia, China, and beyond. Many use AI-generated profiles, stolen identities, and fake resumes to secure jobs at tech firms, then steal intellectual property and funnel earnings to the regime.
In August 2024, ZachXBT exposed a network of 21 North Korean developers that earn $500,000 per month by working in cryptocurrency startups.
A federal court in St. Louis later unsealed indictments against 14 North Korean nationals, accusing them of sanctions violations, wire fraud, and identity theft. These operatives, who worked for Yanbian Silverstar and Volasys Silverstar, earned at least $88 million over six years, with some required to send $10,000 per month back to the regime.
A growing cyber threat
Despite increasing scrutiny from law enforcement and cybersecurity organisations, the Lazarus Group continues to adapt. Their tactics evolve, from large-scale exchange hacks to deep infiltration of global tech firms.
With billions of dollars stolen and a growing network of IT operatives, North Korea’s cyber operations remain a persistent national security challenge. While US agencies have ramped up efforts to disrupt these activities through federal indictments and multi-agency crackdowns, Lazarus continues to evade detection – proving that the threats from North Korea’s cyber army are far from over.
(Photo by Unsplash)
See also: Bybit records $5.5 billion in outflows after crypto’s biggest hack
Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
