On February 4, 2016, a hacker working for the North Korean state sent 35 fraudulent payment instructions through the SWIFT interbank messaging network, routing $951 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York to accounts in Sri Lanka and the Philippines. It would have been the largest bank heist in history. It was stopped by a typo. One of the transfer instructions routed funds to “Shalika Fandation” — a misspelling of “Foundation” — which triggered a routine fraud-screening alert at the correspondent bank Deutsche Bank. The Fed paused the remaining transactions. Of the $951 million attempted, $850 million was recovered. The hackers walked away with $81 million, most of which was laundered through casinos in Manila. The FBI eventually attributed the operation to a North Korean state hacking group that cybersecurity researchers had been tracking since 2009 under the name Lazarus. Nine years and roughly $7 billion in stolen cryptocurrency later, Lazarus is no longer a cybersecurity curiosity. It is North Korea’s single largest source of hard currency, the fiscal backbone of the country’s sanctioned weapons program, and — according to the blockchain analytics firm TRM Labs — not a state-sponsored group in any traditional sense of the term. “Lazarus Group is North Korea. North Korea is Lazarus Group.”
What Lazarus actually is
Lazarus operates under many names, which is itself a clue about how the cybersecurity industry thinks about attribution. Researchers have called the group Hidden Cobra, Diamond Sleet, ZINC, Labyrinth Chollima, APT38, BlueNorOff, and Guardians of Peace. The multiple names reflect multiple sub-units conducting different kinds of operations — BlueNorOff specializes in financial theft, Labyrinth Chollima focuses on espionage, APT38 handles large bank heists, Guardians of Peace is the public-facing alias used for ideological operations like the Sony Pictures hack. The umbrella term “Lazarus” is less an organization than a label for the North Korean hacking ecosystem, which operates under the control of the Reconnaissance General Bureau — North Korea’s primary foreign intelligence service.
The operatives themselves are not shadowy figures typing from Pyongyang basements. North Korea’s cyber operators are trained at institutions like the Kim Il Sung University of Politics and Mirim University (the country’s military signals school), then stationed abroad in places with reliable internet infrastructure — primarily Shenyang in northeastern China, but also Vladivostok, Malaysia, and various African countries where surveillance is limited and North Korean workers maintain a presence. They work in teams of several hundred from IP ranges controlled by the North Korean state, using commercial VPN services and proxy infrastructure to obscure origin. The FBI has publicly named three of them. In September 2018, a federal grand jury indicted Park Jin Hyok, a North Korean national allegedly employed by the Chosun Expo Joint Venture — a North Korean front company operating in China — for his role in the Sony Pictures hack, the Bangladesh Bank heist, and WannaCry. In February 2021, the Justice Department indicted Jon Chang Hyok and Kim Il for cryptocurrency thefts and the fraudulent Marine Chain initial coin offering. Park, Jon, and Kim have never been arrested. North Korea denies they exist.
The operational record
The group’s documented operational history begins with a wave of attacks on South Korean government and media systems in the late 2000s and runs through the February 2025 theft of $1.5 billion from the Bybit cryptocurrency exchange — the largest digital asset theft in history. In between, the group conducted operations that would define two decades of financial cybercrime.
In November 2014, Lazarus-linked hackers publishing under the name “Guardians of Peace” wiped Sony Pictures Entertainment’s systems, leaked confidential emails, and released unreleased films. The attack was retaliation for Sony’s upcoming release of The Interview, a comedy about a CIA plot to assassinate Kim Jong-un. The attack destroyed Sony’s internal IT infrastructure for weeks. U.S. attribution came from the FBI within a month.
In May 2017, Lazarus deployed the WannaCry ransomware worm, which encrypted files on more than 200,000 computers across 150 countries in a single weekend. The worm spread using EternalBlue — an exploit for a Microsoft Windows vulnerability that had been developed by the U.S. National Security Agency and stolen by a group called the Shadow Brokers, who had leaked it online a month earlier. WannaCry hit the UK’s National Health Service, forcing the cancellation of thousands of medical appointments and surgeries. It hit Renault, Nissan, FedEx, Deutsche Bahn, and Spanish telecom Telefónica. The ransom payments demanded in bitcoin were minimal — the Lazarus operators appeared to have struggled to collect revenue from the operation — but the scale of the disruption established that a single North Korean cyber team could, within 48 hours, affect critical infrastructure in every developed economy simultaneously.
In March 2022, Lazarus executed what would remain the largest DeFi hack in history until the Bybit operation three years later. The target was the Ronin Network, a blockchain bridge that moved cryptocurrency in and out of the video game Axie Infinity. The attack vector was a fake LinkedIn job offer. A Lazarus operator posing as a recruiter approached a senior engineer at Sky Mavis — Ronin’s developer — with an interview process that ended with a malware-infected PDF offer document. Once inside Sky Mavis’s systems, the operators obtained five of the nine validator keys needed to authorize transactions on the Ronin bridge, generated two fraudulent withdrawals, and walked away with 173,600 Ether and 25.5 million USDC — approximately $625 million at market prices. The breach went undetected for six days. The FBI confirmed attribution the following month. The U.S. Treasury sanctioned the receiving wallet address.
In June 2022, Lazarus used the same playbook against Harmony’s Horizon Bridge, stealing $100 million. In June 2023, the group hit the non-custodial Atomic Wallet service, draining roughly $100 million from more than 4,100 individual user addresses. In September 2023, the online casino Stake.com lost $41 million. In July 2024, India’s largest cryptocurrency exchange WazirX was drained of $234 million. The operational cadence accelerated rather than slowing. By 2024, blockchain intelligence firms estimated that Lazarus had stolen more than $6 billion in cryptocurrency since 2017 — enough, according to U.S. Treasury assessments, to constitute a meaningful percentage of North Korean GDP.
The Bybit operation
On February 21, 2025, the Dubai-based cryptocurrency exchange Bybit lost $1.5 billion in approximately 30 minutes. The attack vector followed the social-engineering pattern Lazarus had refined since Ronin: a single developer at Safe{Wallet}, a third-party multi-signature wallet provider used by Bybit for cold storage, was compromised through a targeted attack on their laptop. The operators then waited weeks, monitoring Bybit’s internal transaction approval flow, until they identified a routine transfer from one of the exchange’s cold wallets. At the moment of transfer, they substituted a fake Safe{Wallet} interface that Bybit’s signers approved without recognizing the malicious smart contract they were authorizing. 400,000 Ether — about 70% of Bybit’s on-exchange Ethereum reserves — vanished into wallets controlled by the attackers. The FBI attributed the operation to Lazarus within five days. By March 20, TRM Labs reported, 86% of the stolen Ether had already been converted to Bitcoin through a cascade of decentralized exchanges, cross-chain bridges, and mixer services — infrastructure built up over five years specifically for laundering North Korean crypto theft proceeds at industrial scale.
The Bybit heist, by itself, was worth more than North Korea’s entire estimated crypto-theft take from 2023 and 2024 combined. It was worth more than all traditional bank heists in history combined. And it was executed by a group operating from a country whose GDP is smaller than that of Vermont, under sanctions that have formally excluded North Korea from the global financial system for nearly two decades.
Why it’s Lecture 14
Lazarus Group is the Shadowcraft case study that demonstrates how state-level covert finance evolves when the state has no legitimate financial access. North Korea cannot use SWIFT. It cannot hold foreign currency reserves at Western banks. Its formal commercial exports — weapons, labor, agricultural goods — are heavily sanctioned and monitored. What it has is one of the world’s best-trained cyber workforces, operating from jurisdictions where Western law enforcement cannot reach them, against targets — cryptocurrency exchanges — that hold billions of dollars in bearer assets with no reversal mechanism after a successful theft. The match between the state’s needs and the attack surface is close to optimal.
The other Shadowcraft case studies in the North Korean financial apparatus — Room 39, the party office that coordinates the country’s overall hard-currency operations including counterfeit dollars, insurance fraud, and narcotics trafficking — operate alongside Lazarus within the same overall system. Stasi KoKo generated 25 billion Deutsche Marks for East Germany through similar sanctions-evading commercial operations during the Cold War. BCCI provided the institutional laundering infrastructure for multiple state programs simultaneously. Marc Rich built the commodity-trading template for moving sanctioned Iranian and South African goods through shell company structures. Lazarus operates the modern iteration: sanctions-evading revenue generation through digital theft rather than commodity smuggling, with laundering infrastructure built into decentralized finance protocols that were designed without the regulatory oversight traditional banks operate under.
The detail that matters most for the Shadowcraft framework is that the attack surface Lazarus exploits — multi-signature wallet providers, cross-chain bridges, decentralized exchanges, stablecoin issuers — was built by the cryptocurrency industry specifically to minimize points of centralized control. The design philosophy was adversarial to regulators. The adversary it optimized for was government surveillance. The adversary it got was a state-level threat actor for whom the lack of regulatory intermediation was the exact feature that made sustained theft possible.
We cover Lazarus alongside Crypto AG, Mossack Fonseca, GRU Unit 29155, and 20 other case studies of covert institutional power across our Shadowcraft course — where a North Korean hacking group that started by wiping Sony Pictures’ servers to retaliate for a Seth Rogen movie became the single largest source of foreign exchange for a nuclear-armed state.
Leave a Reply