Lazarus Group: How North Korean Cyber Actors Steal Crypto
One hacking crew has stolen more cryptocurrency than anyone in history. It also happens to work for a government. The Lazarus Group is North Korea's state hacking operation, and for it, stealing crypto is not a side hustle. It is the day job, a national revenue line with a payroll behind it. In a good year, by their standards, the group drains over two billion dollars from exchanges, bridges, and ordinary wallets. Most of that is gone before anyone files a report.
This guide covers who they are, the biggest heists tied to them, how an attack actually unfolds, how the money gets laundered, and how much has vanished. The focus stays on the crypto. That is where this story lives now.
Who the Lazarus Group Really Is
Forget the image of a lone hacker in a hoodie. The Lazarus Group is closer to a government department with a payroll. Western agencies link it to North Korea's Reconnaissance General Bureau, the country's main foreign intelligence service, and to the units sometimes labeled Bureau 121. Cybersecurity researchers track it as a single threat group, though in practice it is a cluster of teams running the North Korean government's offensive cyber operations. The people behind the keyboards are trained, salaried, and tasked, and their target list is set by the state.
The group goes by many names depending on who is writing the report: APT38, Hidden Cobra, Guardians of Peace, Labyrinth Chollima. Analysts split it into sub-teams with different jobs. BlueNoroff chases banks and crypto firms for money, Andariel leans toward espionage and disruption, and the broader Lazarus umbrella handles the headline attacks. It has been active in some form since around 2009, which makes it one of the longest-running and most financially motivated threat actors in the world.
What sets Lazarus apart from most state hackers is the motive. Russia and China mostly spy. North Korea steals to fund itself. In September 2019 the US Treasury formally sanctioned Lazarus and two related groups, BlueNoroff and Andariel, naming them as arms of the North Korean state. One security firm summed the group up neatly: a criminal syndicate with a flag.
From Sony to WannaCry: The Early Years
Before crypto, Lazarus built its name on chaos. The 2014 hit on Sony Pictures Entertainment, signed Guardians of Peace, wiped systems, leaked unreleased films, and spilled years of internal email. The apparent motive? A comedy that mocked North Korea's leader. Loud, political, destructive. Not yet profitable.
The money came next. In 2016 the group almost pulled off one of the biggest bank robberies ever tried, firing fraudulent SWIFT messages to drain $951 million from Bangladesh Bank's account at the New York Fed. A typo and a slice of luck killed most of it. About $81 million still got away. That one cyber attack proved Lazarus could rob financial institutions from a keyboard, and it turned state-run cybercrime into a real profit center.
Then came WannaCry in 2017, a ransomware worm that froze hundreds of thousands of machines across roughly 150 countries and took down UK hospitals along the way. It was sloppy and barely earned a thing. But it showed reach. So by the time crypto grew up, Lazarus already had a decade of practice moving money it had no right to touch.
Why North Korean Hackers Target Crypto
For a regime cut off from the global banking system, cryptocurrency is almost too convenient. Sanctions can freeze a bank account and block a SWIFT transfer, but no one can stop a wallet from receiving funds. Crypto moves across borders in minutes, settles irreversibly, and can be shuffled through tools designed to break the trail.
So North Korea pivoted. Why risk a bank heist that a single phone call can reverse when a bridge exploit pays ten times more and cannot be clawed back? The economics are lopsided in the attacker's favor. A failed SWIFT transfer gets frozen and returned; a successful bridge drain is final the moment the block confirms. There is no counterparty to call, no chargeback, no court with jurisdiction over a wallet. Investigators and the UN now estimate that stolen crypto funds a large share of the country's foreign income and a meaningful chunk of its weapons program, though those exact percentages come from intelligence assessments rather than open books.
The Biggest Lazarus Group Crypto Heists
The numbers stopped sounding like crime a while ago. They read like a national budget. The single largest theft, the Bybit hack, is bigger than the next several combined and bigger than any non-crypto bank robbery in history.
| Heist | Date | Amount | Method |
|---|---|---|---|
| Bybit | Feb 2025 | ~$1.5B | Manipulated multisig signing interface |
| Ronin Bridge (Axie) | Mar 2022 | ~$625M | Stolen validator private keys |
| DMM Bitcoin | May 2024 | ~$308M | Fake recruiter, compromised employee |
| WazirX | Jul 2024 | ~$235M | Wallet infrastructure breach |
| Harmony Horizon | Jun 2022 | ~$100M | Compromised bridge keys |
| Atomic Wallet | Jun 2023 | >$100M | Malicious software update |
Look closely and the same weak spots keep reappearing. The Ronin theft worked because the attackers gained control of five of the nine validator keys that secured the bridge, enough to approve their own withdrawals, after compromising a senior engineer. Bybit was subtler: rather than break the cold wallet, the attackers corrupted the interface the signers saw, so the team approved a transfer that looked routine and was anything but. In both cases the cryptography held. The humans and the software around it did not.
Amounts vary by source because they are usually pegged to the token's price on the day, and Lazarus tends to steal volatile assets like ether. The Ronin figure runs from about $540 million to $625 million depending on who is counting, and Bybit is quoted anywhere from $1.4 to $1.5 billion. The pattern underneath is consistent: go after bridges, cryptocurrency exchanges, and wallet software, the choke points where a single failure releases a fortune.
How a Lazarus Group Hack Unfolds
Here is the part that surprises people. These record-breaking thefts rarely start with some exotic, unstoppable exploit. They start with a person being fooled. The clever, irreversible part comes afterward, when the money has to disappear.
The way in: fake jobs and phishing
Lazarus is patient and social. Its long-running playbook, often called Operation Dream Job, is to pose as a recruiter on LinkedIn or in a developer community and offer a dream role at a real-sounding company. Somewhere in the interview a "coding test" or PDF arrives, and opening it installs malware. The DMM Bitcoin theft is believed to have begun exactly this way, with a fake recruiter compromising an employee at a connected firm. The same approach has been aimed at developers across the industry through booby-trapped npm packages and GitHub repos dressed up as legitimate work samples. No firewall stops an engineer who was told the file is a job assignment, which is exactly why social engineering, not some unbreakable exploit, opens most of these doors.
Fake IT workers inside the building
The newer trick is even bolder: instead of breaking in, North Korea applies for the job. Thousands of its IT workers have posed as remote developers, using stolen American identities and laptop farms run by local facilitators, so the worker looks like they are logging in from Texas rather than Pyongyang. Once hired at Western tech and crypto companies, they funnel their salaries home and sometimes plant access for a later theft. The US Department of Justice has gone after both ends of this scheme, including a December 2024 case charging fourteen North Koreans and 2025 actions against the US-based facilitators who hosted the laptops. It is espionage disguised as a payroll entry.
Cashing out: mixers and bridges
Stealing the crypto is half the job; the harder half is spending it. Lazarus runs stolen funds through mixers like Tornado Cash, sanctioned by the US in 2022, and Sinbad, sanctioned in late 2023, then hops the money across blockchains through bridges and swaps between assets to muddy the trail before cashing out through exchanges with weak checks. The process is fast and automated; after Bybit, investigators watched the funds scatter through hundreds of wallets within hours. It is industrial-scale laundering, and it works often enough that the regime keeps doing it.
How Much Has Lazarus Group Stolen?
Step back and the totals are hard to process. According to Chainalysis, North Korea-linked hackers stole roughly $2.02 billion in crypto during 2025, a 51 percent jump on the year before, pushing the all-time tally past $6.75 billion. In 2025 the country accounted for an estimated 76 percent of all value stolen from crypto services worldwide. One state, three quarters of the damage.
| Period | Stolen (crypto) | Source |
|---|---|---|
| 2024 (confirmed by governments) | ~$659M | US/Japan/South Korea joint statement |
| 2024 (full attribution) | ~$1.19B | Chainalysis / Mandiant |
| 2025 | ~$2.02B | Chainalysis |
| All-time (lower bound) | ~$6.75B | Chainalysis |
The 2024 figures disagree because they measure different things: governments confirmed a handful of specific heists, while analytics firms attributed more through on-chain tracing. Either way the trend points up. A UN Panel of Experts review counted roughly 58 suspected North Korean crypto attacks worth about $3 billion between 2017 and 2023, before the 2024 and 2025 records were even set. The same body has reported that this money helps bankroll North Korea's weapons program, a claim drawn from member-state intelligence rather than audited accounts, but one that reframes every exchange breach as something closer to a geopolitical event.
Sanctions, Indictments and the Response
So what can anyone actually do about it? Name them, sanction them, indict them. Arrest them, almost never, because they sit in Pyongyang.
The paper trail is long by now. Treasury blacklisted Lazarus back in 2019, then went after the mixers it leans on, Tornado Cash and Sinbad. Prosecutors piled on too, charging named hackers as far back as 2021 and, lately, the people running the fake IT-worker pipeline. Good luck serving the warrants.
Getting the money back is rarer still. After the Ronin theft, investigators clawed back a slice of the funds with help from the FBI and Chainalysis. A slice. The rest was gone. And sanctions have a habit of just shuffling the problem around: blacklist Tornado Cash and the money drifts to Sinbad; hit Sinbad and the group finds the next mixer. Every move makes cashing out costlier and uglier. None of it stops the theft at the source. You cannot extradite a government.
Can the Lazarus Group Be Stopped?
Honestly, not by sanctions alone. The defense that matters happens before the breach, and it falls on exchanges and users rather than prosecutors. That means hardware-enforced approvals on large transfers, treating an unsolicited recruiter as a threat rather than an opportunity, and refusing to let a single compromised laptop sign away a treasury. It also means verifying what you are actually signing rather than trusting a screen, the exact gap that cost Bybit over a billion dollars. The asymmetry is brutal: defenders must be right every time, while Lazarus needs one engineer to open one file. The realistic goal is not to eliminate the group but to make each theft slower, smaller, and harder to launder, so that the next billion-dollar opening simply is not there to find.
Why Lazarus Group Matters for Crypto
Lazarus took the features crypto is proudest of, that it is borderless and irreversible, and turned them into a state funding tool. That is the uncomfortable lesson here: the same design that frees money from banks also frees it from recovery. Crypto security is no longer just a personal concern about your own keys; it has become a question of national security for several countries at once. Every unaudited bridge and every exchange with lax controls is a potential line item in a missile budget. The question worth sitting with is how an open, permissionless financial system defends itself against a patient, well-funded opponent that treats large-scale theft as a matter of foreign policy.
