Scams & Hacks

Key takeaways

• The Lazarus Group is a North Korean state-backed team of hackers responsible for billion-dollar cyber heists. Their operations fund the country’s missile and nuclear programs.
• Lazarus employs custom malware, zero-day vulnerabilities and spear-phishing campaigns to breach financial institutions, cryptocurrency exchanges and government agencies.
• Notable attacks include the $1.5-billion Bybit hack (2025), the $625-million Ronin Bridge breach (2022) and the $101-million Bangladesh Bank heist (2016).
• The group uses misdirection, backdoors, anti-forensic techniques and wipers to conceal their tracks and maintain long-term access to compromised networks.

The Bybit crypto attack on Feb. 21, 2025, has shined the limelight yet again on the notorious Lazarus Group, “credited” with a string of devastating attacks on crypto businesses. Since 2017, the Lazarus Group has stolen an estimated $6 billion from the crypto industry, according to blockchain analytics firm Elliptic. No wonder Lazarus has earned the title of the supervillain in crypto.

As one of the most prolific cybercriminal organizations in history, the Lazarus Group uses advanced hacking tactics and often white-collar frontline operatives, indicating full state support.

This raises critical questions about the Lazarus Group, their execution of the complex Bybit attack and other similar hacks, and how crypto organizations can combat this growing threat. This article explores these issues and more.

Origins and background of the Lazarus Group

The Lazarus Group is a Democratic People’s Republic of Korea (DPRK) or North Korea-based threat actor notorious for cyber espionage and siphoning off money.

Active since 2009, it is associated with the North Korean government’s Reconnaissance General Bureau (RGB), the nation’s primary intelligence agency. The advanced persistent threat (APT) group is known for staging sophisticated cross-platform attacks on financial institutions, cryptocurrency exchanges, SWIFT system endpoints, casinos and ATMs worldwide.

The group’s connection with the nation’s intelligence agency suggests state sponsorship. The hackers get state patronage for their nefarious activities, which means they can operate without fear of local law enforcement. Their activities aim not just to gather intelligence but also to arrange funds for the country’s missile and nuclear programs.

The US Federal Bureau of Investigation (FBI) calls the Lazarus Group a North Korean “state-sponsored hacking organization.” North Korean defector Kim Kuk-song has revealed that the unit is internally known as the 414 Liaison Office in North Korea.

Over the years, the Lazarus Group has significantly escalated the sophistication and efficacy of its tactics, as well as the scale of its activities.

Did you know? Microsoft Threat Intelligence has identified a team of hackers known as “Sapphire Sleet” as a North Korean threat group heavily involved in cryptocurrency theft and corporate infiltration. The term “sleet” indicates the group’s North Korean ties.

How does the Lazarus Group operate?

Due to the state sponsorship, the Lazarus Group has the resources and expertise to execute complex cyberattacks. It executes multi-layered operations, which include the development and deployment of custom malware and the exploitation of zero-day vulnerabilities. The term “zero-day vulnerability” refers to a security loophole in software or hardware not known to the developer. This means there is neither any fix for it nor the preparation.

A hallmark of the Lazarus Group is the creation of bespoke malware, such as MagicRAT and QuiteRAT, designed to infiltrate and control targeted systems. They have also been known to take advantage of previously unknown security flaws to breach systems before patches are available.

Social engineering is another critical component of their strategy. It is about hackers using emotions to trick users and persuade them to perform a specific action, such as sharing crucial data. The Lazarus Group conducts spear-phishing campaigns, which send fraudulent emails to unsuspecting individuals impersonating their network to induce them to reveal confidential information.

Their adaptability and evolving techniques make the Lazarus Group a persistent and formidable threat in the global cybersecurity landscape.

Top heists by the Lazarus Group

Over the years, there have been an array of cyberattacks involving the Lazarus Group. Here are some significant heists executed by the group:

Crypto heists

1. Bybit (February 2025)

Bybit, a Dubai-based cryptocurrency exchange, suffered a massive security breach, losing $1.5 billion in digital assets in February 2025, making it the most significant crypto heist to date.

The attack targeted the SafeWallet interface used by Bybit executives to execute the fraudulent transactions. The stolen funds, primarily in Ether , were quickly dispersed across multiple wallets and liquidated through different platforms. Bybit’s CEO, Ben Zhou, reassured users that other cold wallets remained secure and that withdrawals operated normally.

Blockchain analytics firms, including Elliptic and Arkham Intelligence, traced the stolen assets and later attributed the attack to the North Korean state-backed Lazarus Group. The breach triggered a wave of withdrawals from Bybit, prompting the exchange to secure a bridge loan to cover losses.

2. WazirX (July 2024)

In July 2024, WazirX, India’s largest cryptocurrency exchange, suffered a significant security breach resulting in the loss of approximately $234.9 million in digital assets. The attack, attributed to North Korea’s Lazarus Group, involved sophisticated phishing techniques and API exploitation.

The hackers manipulated WazirX’s multisignature wallet system, gaining unauthorized access to both hot and cold wallets. This breach led to the suspension of trading activities and prompted legal challenges, including a lawsuit from rival exchange CoinSwitch seeking to recover $9.65 million in trapped funds.

In January 2025, the Singapore High Court approved WazirX’s restructuring plan, allowing the company to meet with creditors to discuss asset recovery strategies.

3. Stake.com (September 2023)

In September 2023, the group breached Stake.com, a cryptocurrency betting platform, by obtaining and utilizing stolen private keys. This allowed them to siphon off $41 million across various blockchain networks.

The US FBI attributed this theft to the Lazarus Group, also known as APT38. The stolen assets were traced across multiple blockchain networks, including Ethereum, BNB Smart Chain and Polygon.

4. CoinEx (September 2023)

Later in September 2023, CoinEx, a global cryptocurrency exchange, reported unauthorized transactions resulting in losses estimated at $54 million.

Investigations by blockchain analysts, including onchain analyst ZachXBT, revealed wallet patterns and on-chain behaviors linking this breach to the earlier Stake.com hack, suggesting a coordinated effort by the Lazarus Group.

5. CoinsPaid and Alphapo (July 2023)

On July 22, 2023, CoinsPaid experienced a meticulously planned cyberattack resulting in the theft of $37.3 million. The attackers employed a strategy involving bribery and fake hiring campaigns targeting critical company personnel in the months leading up to the breach.

During the attack, an unusual surge in network activity was observed, with over 150,000 different IP addresses involved. Despite the substantial financial loss, CoinsPaid’s internal team worked diligently to fortify their systems, ensuring that client funds remained unaffected and fully available.

On the same day, Alphapo, a centralized cryptocurrency payment provider for various online platforms, suffered a security breach on July 23, 2023. Initial reports estimated the loss at approximately $23 million; however, further investigations revealed that the total amount stolen exceeded $60 million. Blockchain analysts have attributed this attack to the Lazarus Group, noting that the stolen funds were traced across multiple addresses and chains.

6. Harmony Horizon Bridge (June 2022)

The Lazarus Group exploited vulnerabilities in Harmony’s Horizon Bridge in June 2022. Through social engineering and compromising multisignature wallets, they absconded with $100 million, highlighting the risks associated with crosschain bridges (facilitating asset transfers between networks like Ethereum, Bitcoin and BNB Smart Chain).

The attackers exploited security weaknesses, gaining control over a multisignature wallet used to authorize transactions. This breach allowed them to siphon approximately $100 million in various cryptocurrencies. The stolen assets were laundered through the Tornado Cash mixer, complicating tracking efforts. Elliptic was among the first to attribute this attack to the Lazarus Group, an assessment later confirmed by the FBI in January 2023.

7. Ronin Bridge (March 2022)

In March 2022, the Ronin Bridge, a crosschain bridge supporting the Axie Infinity game, suffered a significant security breach at the hands of the Lazarus Group, resulting in the theft of approximately $625 million in cryptocurrencies.

The Ronin Network operated with nine validators, requiring at least five signatures to authorize transactions. The attackers managed to gain control over five private keys, enabling them to approve unauthorized withdrawals.

The hackers lured a Sky Mavis employee with a fraudulent job offer, delivering a malware-infected PDF that compromised the company’s internal systems. This access allowed the attackers to move laterally within the network, seizing control of four validators operated by Sky Mavis and an additional validator managed by the Axie DAO (decentralized autonomous organization).

The group combined social engineering with technical prowess to execute the Ronin Bridge hack.

8. Atomic Wallet (2022)

Throughout 2022, users of Atomic Wallet, a decentralized cryptocurrency storage application, fell victim to a series of attacks orchestrated by the Lazarus Group.

The hackers deployed custom malware to compromise individual wallets, resulting in losses estimated between $35 million and $100 million. Elliptic linked these breaches to the Lazarus Group by tracing the movement of stolen funds and identifying laundering patterns consistent with the group’s previous activities.

9. Bithumb Exchange (July 2017)

In July 2017, the Lazarus Group executed a spear-phishing attack on Bithumb, one of South Korea’s largest cryptocurrency exchanges.

By infiltrating the exchange’s internal systems, they managed to steal approximately $7 million in cryptocurrencies. This incident marked one of the group’s early and notable intrusions into the burgeoning digital asset industry.

10. Youbit Exchange (April and December 2017)

The Lazarus Group conducted two significant attacks on South Korea’s Youbit exchange in 2017. The first attack in April involved the use of malware and phishing techniques, compromising the exchange’s security and leading to substantial asset losses.

A subsequent attack in December resulted in the loss of 17% of Youbit’s total assets. The financial strain from these consecutive breaches forced the exchange into bankruptcy, underscoring the severe impact of the group’s cyber activities on digital asset platforms.

Did you know? North Korea deploys thousands of IT workers globally, including in Russia and China, to generate revenue. They use AI-generated profiles and stolen identities to secure lucrative tech positions, enabling them to steal intellectual property, extort employers, and remit funds to the regime.

Other major heists

1. WannaCry (May 2017)

The WannaCry ransomware attack was a massive cybersecurity incident that affected organizations worldwide. On May 12, 2017, the WannaCry ransomware worm infected over 200,000 computers across 150+ countries. Major victims included FedEx, Honda, Nissan and the UK’s National Health Service (NHS), which had to reroute ambulances due to system disruptions.

A security researcher discovered a “kill switch” temporarily stopping the attack. But many systems remained locked until victims either paid the ransom or found a way to restore their data. WannaCry exploited a vulnerability called “EternalBlue,” an exploit originally developed by the US National Security Agency (NSA).

This exploit was later stolen and leaked by the Shadow Brokers. WannaCry primarily targeted older, unpatched Microsoft Windows systems, allowing it to spread rapidly and cause widespread damage. The attack highlighted the critical need for regular software updates and cybersecurity awareness.

2. Bangladesh Bank (February 2016)

In February 2016, the Bangladesh Bank experienced a significant cyber heist, with attackers attempting to steal nearly $1 billion from its account at the Federal Reserve Bank of New York. The perpetrators, later identified as the Lazarus Group, infiltrated the bank’s systems in January 2015 through a malicious email attachment. They studied the bank’s operations, eventually initiating 35 fraudulent transfer requests via the SWIFT network.

While most were blocked, five transactions totaling $101 million were successful, with $81 million reaching accounts in the Philippines. A typographical error in one transfer request raised suspicions, preventing the full heist.

3. Sony Pictures (November 2014)

In November 2014, Sony Pictures Entertainment experienced a significant cyberattack executed by the Guardians of Peace, having connections with the Lazarus Group. The attackers infiltrated Sony’s network, accessing vast amounts of confidential data, including unreleased films, sensitive employee information and internal communications.

The group also deployed malware, rendering approximately 70% of Sony’s computers inoperable. Financial damages from the breach were substantial, with Sony reporting losses of $15 million, though other estimates suggest recovery costs could have exceeded $85 million.

The motivation behind the attack was retaliation for Sony’s planned release of The Interview, a comedy depicting the assassination of North Korean leader Kim Jong-un.

Despite North Korea’s denial of involvement, the US government formally attributed the attack to North Korean threat actors, highlighting the Lazarus Group’s capability to execute sophisticated cyber operations with significant geopolitical implications.

Did you know? In August 2024, ZachXBT revealed that 21 North Korean developers had infiltrated crypto startups, earning $500,000 monthly.

FBI identified key Lazarus Group hackers behind major cyberattacks

The FBI has publicly identified three suspected North Korean hackers as members of the Lazarus Group.

In September 2018, the FBI charged Park Jin Hyok, a North Korean national linked to Lazarus, for his alleged role in major cyberattacks. Park, who reportedly worked for the Chosun Expo Joint Venture, a North Korean front company, has been tied to the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where $81 million was stolen.

The FBI has also accused Park of his association with the 2017 WannaCry 2.0 ransomware attack, which disrupted hospitals, including the UK’s NHS. Investigators traced him and his associates through shared malware code, stolen credential storage and proxy services concealing North Korean and Chinese IPs.

In February 2021, the US Justice Department indicted Jon Chang Hyok and Kim Il for their involvement in global cybercrimes. Jon developed and spread malicious crypto applications to infiltrate financial institutions, while Kim coordinated malware distribution, crypto heists and the fraudulent Marine Chain initial coin offering.

Common tactics used by the Lazarus Group

The Lazarus Group employs several sophisticated tactics to carry out cyberattacks, including disruption, misdirection, anti-forensics and protection techniques:

Disruption

Lazarus conducts disruptive attacks using distributed denial-of-service (DDoS) and wiper malware with time-based triggers. For instance, trojan KILLMBR wipes data on the targeted system on a preset date, while QDDOS, a malware, erases files after infection. Another tool, DESTOVER, functions as a backdoor but also has wiping capabilities. These tactics aim to cripple systems and render them inoperable.

Misdirection

To obscure their involvement, Lazarus disguises some attacks as the work of fictitious groups like “GOP,” “WhoAmI” and “New Romanic Army.” These groups claim responsibility for the attack, while Lazarus is the player behind the game. They might deface websites with some propaganda. Lazarus also embeds false flags in its malware, such as using Romanized Russian words in the KLIPOD backdoor.

Backdoors

Lazarus relies on backdoors for persistent access to breached systems, deploying tools like the Manuscrypt (NukeSped) backdoor in phishing campaigns and the BLINDINGCAN and COPPERHEDGE implants against defense targets.

Anti-forensic techniques

To cover their tracks, Lazarus uses several anti-forensics techniques:

• Component separation: In operations related to the Bluenoroff subgroup of Lazarus, it fragments malware components to hinder analysis.
• Command-line tools: Many attacks rely on command-line backdoors and installers requiring specific arguments. For instance, the installer of the Nestegg framework requires a password as an argument.
• Wipers: Lazarus uses wipers to erase evidence of the attack after the operation is complete. DESTOVER samples were seen in some of the Bluenoroff operations.
• Log and record deletion: Lazarus deletes prefetch data, event logs and Master File Table (MFT) records to remove forensic evidence.

By combining these techniques, Lazarus effectively disrupts targets, misleads attribution efforts, and conceals its activities.

How to defend against the Lazarus Group attacks

Defending against threats posed by the Lazarus Group requires a comprehensive security strategy. Organizations must implement multiple layers of protection to safeguard their digital assets from sophisticated cyberattacks.

Key defense measures that you need to adopt include:

• DDoS protection: Organizations should deploy robust mitigation strategies to prevent service disruptions and potential data breaches. Proactively identifying and neutralizing such attacks is crucial.
• Threat intelligence: Leveraging threat intelligence helps detect and respond to cyber threats, including ransomware and DDoS attacks. You need to stay informed about the evolving tactics used by Lazarus to run their operations.
• Asset protection: Financial institutions, cryptocurrency exchanges and other high-value targets must secure critical digital assets against Lazarus’ attacks. Protecting SWIFT system endpoints, ATMs and banking infrastructure is crucial.
• Persistent threat monitoring: Continuous monitoring of network infrastructure is necessary to detect and mitigate potential intrusions. Security teams must ensure all systems are regularly updated with the latest patches to reduce vulnerabilities.
• Multilayered security solutions: Advanced security solutions, such as those incorporating behavioral analysis, machine learning and exploit protection, enhance defense against targeted attacks. Tools with sandbox integration and ransomware protection add additional layers of security.
• Real-time protection: When dealing with complex attacks, you need real-time protection against targeted attacks. You should be able to detect targeted attacks anywhere in the network using cross-generational techniques to apply the right technology at the right time.

However, as technology is a fast-developing field and hackers keep developing new threat vectors, individuals and organizations should remain proactive and consistently monitor emerging threats.

As professor Bill Buchanan, a leading expert in applied cryptography, emphasizes, “We need to invest heavily in cybersecurity; otherwise, we are heading for a world protected by George Orwell in 1984, or a world where we become slaves to the machine.”

This statement highlights the profound implications of neglecting cybersecurity and the necessity for continuous investment in protective measures.

Remember, the battle against such sophisticated threat actors is not one of a single defense but of an ongoing strategy involving prevention, detection and rapid response.

Ultimately, defending against the Lazarus Group requires vigilance, advanced security tools and an organizational commitment to continuous improvement. Only through these collective efforts can businesses and institutions protect their assets, maintain trust, and stay one step ahead of cybercriminals.

Disclaimer：

1. This article is reprinted from [CoinTelegraph]. All copyrights belong to the original author [Dilip Kumar Patairya]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.