Tag: cryptocurrency theft

  • Lazarus Group: North Korea’s State Hacking Apparatus Explained

    On February 4, 2016, a hacker working for the North Korean state sent 35 fraudulent payment instructions through the SWIFT interbank messaging network, routing $951 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York to accounts in Sri Lanka and the Philippines. It would have been the largest bank heist in history. It was stopped by a typo. One of the transfer instructions routed funds to “Shalika Fandation” — a misspelling of “Foundation” — which triggered a routine fraud-screening alert at the correspondent bank Deutsche Bank. The Fed paused the remaining transactions. Of the $951 million attempted, $850 million was recovered. The hackers walked away with $81 million, most of which was laundered through casinos in Manila. The FBI eventually attributed the operation to a North Korean state hacking group that cybersecurity researchers had been tracking since 2009 under the name Lazarus. Nine years and roughly $7 billion in stolen cryptocurrency later, Lazarus is no longer a cybersecurity curiosity. It is North Korea’s single largest source of hard currency, the fiscal backbone of the country’s sanctioned weapons program, and — according to the blockchain analytics firm TRM Labs — not a state-sponsored group in any traditional sense of the term. “Lazarus Group is North Korea. North Korea is Lazarus Group.”

    What Lazarus actually is

    Lazarus operates under many names, which is itself a clue about how the cybersecurity industry thinks about attribution. Researchers have called the group Hidden Cobra, Diamond Sleet, ZINC, Labyrinth Chollima, APT38, BlueNorOff, and Guardians of Peace. The multiple names reflect multiple sub-units conducting different kinds of operations — BlueNorOff specializes in financial theft, Labyrinth Chollima focuses on espionage, APT38 handles large bank heists, Guardians of Peace is the public-facing alias used for ideological operations like the Sony Pictures hack. The umbrella term “Lazarus” is less an organization than a label for the North Korean hacking ecosystem, which operates under the control of the Reconnaissance General Bureau — North Korea’s primary foreign intelligence service.

    The operatives themselves are not shadowy figures typing from Pyongyang basements. North Korea’s cyber operators are trained at institutions like the Kim Il Sung University of Politics and Mirim University (the country’s military signals school), then stationed abroad in places with reliable internet infrastructure — primarily Shenyang in northeastern China, but also Vladivostok, Malaysia, and various African countries where surveillance is limited and North Korean workers maintain a presence. They work in teams of several hundred from IP ranges controlled by the North Korean state, using commercial VPN services and proxy infrastructure to obscure origin. The FBI has publicly named three of them. In September 2018, a federal grand jury indicted Park Jin Hyok, a North Korean national allegedly employed by the Chosun Expo Joint Venture — a North Korean front company operating in China — for his role in the Sony Pictures hack, the Bangladesh Bank heist, and WannaCry. In February 2021, the Justice Department indicted Jon Chang Hyok and Kim Il for cryptocurrency thefts and the fraudulent Marine Chain initial coin offering. Park, Jon, and Kim have never been arrested. North Korea denies they exist.

    The operational record

    The group’s documented operational history begins with a wave of attacks on South Korean government and media systems in the late 2000s and runs through the February 2025 theft of $1.5 billion from the Bybit cryptocurrency exchange — the largest digital asset theft in history. In between, the group conducted operations that would define two decades of financial cybercrime.

    In November 2014, Lazarus-linked hackers publishing under the name “Guardians of Peace” wiped Sony Pictures Entertainment’s systems, leaked confidential emails, and released unreleased films. The attack was retaliation for Sony’s upcoming release of The Interview, a comedy about a CIA plot to assassinate Kim Jong-un. The attack destroyed Sony’s internal IT infrastructure for weeks. U.S. attribution came from the FBI within a month.

    In May 2017, Lazarus deployed the WannaCry ransomware worm, which encrypted files on more than 200,000 computers across 150 countries in a single weekend. The worm spread using EternalBlue — an exploit for a Microsoft Windows vulnerability that had been developed by the U.S. National Security Agency and stolen by a group called the Shadow Brokers, who had leaked it online a month earlier. WannaCry hit the UK’s National Health Service, forcing the cancellation of thousands of medical appointments and surgeries. It hit Renault, Nissan, FedEx, Deutsche Bahn, and Spanish telecom Telefónica. The ransom payments demanded in bitcoin were minimal — the Lazarus operators appeared to have struggled to collect revenue from the operation — but the scale of the disruption established that a single North Korean cyber team could, within 48 hours, affect critical infrastructure in every developed economy simultaneously.

    In March 2022, Lazarus executed what would remain the largest DeFi hack in history until the Bybit operation three years later. The target was the Ronin Network, a blockchain bridge that moved cryptocurrency in and out of the video game Axie Infinity. The attack vector was a fake LinkedIn job offer. A Lazarus operator posing as a recruiter approached a senior engineer at Sky Mavis — Ronin’s developer — with an interview process that ended with a malware-infected PDF offer document. Once inside Sky Mavis’s systems, the operators obtained five of the nine validator keys needed to authorize transactions on the Ronin bridge, generated two fraudulent withdrawals, and walked away with 173,600 Ether and 25.5 million USDC — approximately $625 million at market prices. The breach went undetected for six days. The FBI confirmed attribution the following month. The U.S. Treasury sanctioned the receiving wallet address.

    In June 2022, Lazarus used the same playbook against Harmony’s Horizon Bridge, stealing $100 million. In June 2023, the group hit the non-custodial Atomic Wallet service, draining roughly $100 million from more than 4,100 individual user addresses. In September 2023, the online casino Stake.com lost $41 million. In July 2024, India’s largest cryptocurrency exchange WazirX was drained of $234 million. The operational cadence accelerated rather than slowing. By 2024, blockchain intelligence firms estimated that Lazarus had stolen more than $6 billion in cryptocurrency since 2017 — enough, according to U.S. Treasury assessments, to constitute a meaningful percentage of North Korean GDP.

    The Bybit operation

    On February 21, 2025, the Dubai-based cryptocurrency exchange Bybit lost $1.5 billion in approximately 30 minutes. The attack vector followed the social-engineering pattern Lazarus had refined since Ronin: a single developer at Safe{Wallet}, a third-party multi-signature wallet provider used by Bybit for cold storage, was compromised through a targeted attack on their laptop. The operators then waited weeks, monitoring Bybit’s internal transaction approval flow, until they identified a routine transfer from one of the exchange’s cold wallets. At the moment of transfer, they substituted a fake Safe{Wallet} interface that Bybit’s signers approved without recognizing the malicious smart contract they were authorizing. 400,000 Ether — about 70% of Bybit’s on-exchange Ethereum reserves — vanished into wallets controlled by the attackers. The FBI attributed the operation to Lazarus within five days. By March 20, TRM Labs reported, 86% of the stolen Ether had already been converted to Bitcoin through a cascade of decentralized exchanges, cross-chain bridges, and mixer services — infrastructure built up over five years specifically for laundering North Korean crypto theft proceeds at industrial scale.

    The Bybit heist, by itself, was worth more than North Korea’s entire estimated crypto-theft take from 2023 and 2024 combined. It was worth more than all traditional bank heists in history combined. And it was executed by a group operating from a country whose GDP is smaller than that of Vermont, under sanctions that have formally excluded North Korea from the global financial system for nearly two decades.

    Why it’s Lecture 14

    Lazarus Group is the Shadowcraft case study that demonstrates how state-level covert finance evolves when the state has no legitimate financial access. North Korea cannot use SWIFT. It cannot hold foreign currency reserves at Western banks. Its formal commercial exports — weapons, labor, agricultural goods — are heavily sanctioned and monitored. What it has is one of the world’s best-trained cyber workforces, operating from jurisdictions where Western law enforcement cannot reach them, against targets — cryptocurrency exchanges — that hold billions of dollars in bearer assets with no reversal mechanism after a successful theft. The match between the state’s needs and the attack surface is close to optimal.

    The other Shadowcraft case studies in the North Korean financial apparatus — Room 39, the party office that coordinates the country’s overall hard-currency operations including counterfeit dollars, insurance fraud, and narcotics trafficking — operate alongside Lazarus within the same overall system. Stasi KoKo generated 25 billion Deutsche Marks for East Germany through similar sanctions-evading commercial operations during the Cold War. BCCI provided the institutional laundering infrastructure for multiple state programs simultaneously. Marc Rich built the commodity-trading template for moving sanctioned Iranian and South African goods through shell company structures. Lazarus operates the modern iteration: sanctions-evading revenue generation through digital theft rather than commodity smuggling, with laundering infrastructure built into decentralized finance protocols that were designed without the regulatory oversight traditional banks operate under.

    The detail that matters most for the Shadowcraft framework is that the attack surface Lazarus exploits — multi-signature wallet providers, cross-chain bridges, decentralized exchanges, stablecoin issuers — was built by the cryptocurrency industry specifically to minimize points of centralized control. The design philosophy was adversarial to regulators. The adversary it optimized for was government surveillance. The adversary it got was a state-level threat actor for whom the lack of regulatory intermediation was the exact feature that made sustained theft possible.

    We cover Lazarus alongside Crypto AG, Mossack Fonseca, GRU Unit 29155, and 20 other case studies of covert institutional power across our Shadowcraft course — where a North Korean hacking group that started by wiping Sony Pictures’ servers to retaliate for a Seth Rogen movie became the single largest source of foreign exchange for a nuclear-armed state.

  • North Korea’s State-Sponsored Cyber Theft: How a Country Funds Itself Through Hacking

    On February 21, 2025, the CEO of Bybit—a Dubai-based cryptocurrency exchange—approved what appeared to be a routine transaction. The user interface showed the correct destination address. The multi-signature security system required multiple executives to sign off, and they did. The transaction looked legitimate at every layer of verification a human being could perform. It wasn’t. North Korea’s Lazarus Group had compromised the interface of Safe{Wallet}, a third-party wallet tool that Bybit used for transfers between cold storage and hot wallets. The interface displayed one address. The code sent funds to another. By the time anyone noticed, 400,000 Ethereum—worth approximately $1.5 billion—had been transferred to wallets controlled by Pyongyang’s military intelligence apparatus. It was the largest cryptocurrency theft in history, executed through a fake button on a screen.

    Within 48 hours, at least $160 million had been laundered. By March 20—less than a month later—Bybit’s CEO confirmed that attackers had converted 86 percent of the stolen Ethereum to Bitcoin. The money was gone, distributed across a laundering infrastructure that blockchain analysts describe as industrialized, following a structured 45-day pipeline from theft to usable currency. According to Chainalysis’s Crypto Crime Report, North Korean hackers stole $2.02 billion in cryptocurrency in 2025 alone—a 51 percent increase over the $1.3 billion stolen in 2024. The cumulative total since 2017 exceeds $6.75 billion. United Nations monitors estimate that cryptocurrency theft now constitutes approximately 13 percent of North Korea’s GDP.

    This is not a criminal enterprise. This is a national economy.

    How a country became a hacking operation

    The Lazarus Group is affiliated with North Korea’s Reconnaissance General Bureau—the regime’s primary intelligence agency. According to a North Korean defector, the unit is known internally as the 414 Liaison Office. It first gained international attention in 2014 by destroying Sony Pictures’ network infrastructure in retaliation for The Interview, a film depicting the assassination of Kim Jong-un. The hackers deployed wiper malware that erased data across Sony’s systems while publicly leaking internal communications—a political operation, not a financial one.

    The pivot to financial crime came in 2016 with the Bangladesh Bank heist. Lazarus issued 35 fraudulent instructions through the SWIFT international banking network to transfer nearly $1 billion from the Federal Reserve Bank of New York’s account belonging to Bangladesh’s central bank. Thirty of the transactions were blocked when a misspelled word in one instruction triggered a review. Five got through. The group escaped with $81 million—a figure that, by current standards, would be a slow Tuesday.

    The cryptocurrency era transformed the operation’s scale. Traditional banking systems have compliance departments, transaction limits, correspondent bank oversight, and regulatory checkpoints. Cryptocurrency has smart contracts, multi-signature wallets, and decentralized exchanges with varying levels of security, operated by companies headquartered in jurisdictions with inconsistent enforcement. For a nation-state hacking operation, the cryptocurrency ecosystem is a softer target than the SWIFT network by orders of magnitude.

    The progression since 2017: Banco del Austro in Ecuador ($12 million), Vietnam’s Tien Phong Bank ($1 million), Taiwan’s Far Eastern International Bank ($60 million), then the escalation into crypto—KuCoin ($275 million in 2020), the Ronin Network powering Axie Infinity ($625 million in 2022), Atomic Wallet ($100 million in 2023), WazirX in India ($235 million in 2024), and then Bybit ($1.5 billion in February 2025). The trajectory is exponential, and the operational tempo is accelerating: by mid-2025, Lazarus was executing major heists roughly every 20 days.

    How they actually get in

    The Lazarus Group’s primary weapon is not technical sophistication. It’s patience. Their attack methodology targets humans, not code.

    The Ronin Network hack—$625 million—started with a fake job offer. A Lazarus operative, posing as a recruiter, contacted an engineer at Sky Mavis (the company behind Axie Infinity) through LinkedIn with a fabricated employment opportunity. The engineer downloaded a document that contained malware. That single compromised machine gave the attackers access to the validator nodes that secured the Ronin bridge, and from there, access to the funds.

    The Bybit hack started with a compromised developer laptop. On February 4, 2025, a developer at Safe{Wallet} received what appeared to be a routine request. Their Apple MacBook became the entry point. Within 17 days, the attackers had manipulated the wallet’s front-end interface to redirect a legitimate-looking transaction. The multi-signature security system—designed specifically to prevent single-point-of-failure theft—approved the fraudulent transfer because the fraud existed at the visual layer, not the cryptographic layer. The keys were valid. The signatures were authentic. The destination was wrong.

    Beyond direct hacking, North Korea has deployed what researchers call the “Wagemole” strategy—embedding covert IT workers inside legitimate companies worldwide. Operatives obtain remote technical positions using fraudulent identities or through front companies, function as normal employees while providing intelligence to hacking teams, and in some cases directly facilitate theft by providing credentials or disabling security systems. In 2024 alone, more than a dozen cryptocurrency companies were infiltrated by North Korean operatives posing as IT contractors. A Maryland man was sentenced in December 2025 to 15 months in prison for allowing North Korean nationals in Shenyang, China, to use his identity for employment at U.S. companies—including a contract at the Federal Aviation Administration. He was paid over $970,000 for software development work performed by overseas conspirators.

    Why they can’t be stopped (yet)

    North Korea has no extradition treaties. No Interpol cooperation. No financial system to freeze. The Lazarus Group operates from Pyongyang with functional impunity. The U.S. Treasury has sanctioned over 100 Lazarus-linked wallet addresses, but the group creates new ones. The FBI issues arrest warrants for operators it will never arrest. International sanctions on North Korea are among the most comprehensive ever imposed—and cryptocurrency theft is the mechanism by which the regime circumvents them.

    The laundering infrastructure is equally resilient. Chainalysis analysis reveals a structured, multi-wave pipeline: within hours of a theft, stolen funds begin moving through DeFi protocols and mixing services. Funds from separate heists are blended together—money from Stake.com ends up in wallet addresses used for Atomic Wallet laundering, CoinEx proceeds flow through addresses tied to previous operations. This intentional commingling creates noise that makes individual theft attribution nearly impossible. Analysts can trace fragments, but only about 15 percent of stolen funds are ever recovered. The stolen cryptocurrency is converted to Bitcoin (highest liquidity, global acceptance, resistance to devaluation), moved through privacy-enhancing mixers, and eventually converted to fiat currency through intermediaries in jurisdictions with weak enforcement.

    The Center for Strategic and International Studies calls this “cyber-enabled state terrorism.” The label is accurate. Every dollar stolen funds North Korea’s nuclear weapons and ballistic missile programs. Every Bitcoin heist buys missile fuel. The February 2025 Bybit theft alone—$1.5 billion—exceeded the entire annual GDP of several sovereign nations, extracted through a single manipulated interface in 81 seconds of approved transactions.

    What it means for the concept of a heist

    North Korea’s cryptocurrency operation redefines what a heist is. The Gardner Museum theft required two men in police uniforms, 81 minutes inside a building, and the physical removal of 13 canvases. The Bybit theft required a compromised laptop, a manipulated interface, and a CEO clicking a button he’d been designed to trust. The Gardner paintings are worth $500 million and are unsellable. The Bybit Ethereum was worth $1.5 billion and was 86 percent laundered within a month.

    The traditional heist is constrained by physical access, physical removal, and physical fencing of stolen goods. The North Korean model removes all three constraints. Access is digital. Removal is instantaneous. And cryptocurrency—unlike a Vermeer—can be laundered into fungible currency through automated infrastructure that operates 24 hours a day across every jurisdiction on earth. The heist of the century is no longer a once-in-a-generation event. It’s a quarterly revenue target for a nuclear-armed state that has turned theft into a line item on its national budget.

    We cover North Korea’s cyber operations alongside the Gardner Museum theft, the economics of stolen property, and the full history of audacious theft across our Greatest Heists course—including why the most successful heist crew in history doesn’t wear masks, carry guns, or leave the building. They sit at keyboards in Pyongyang and steal more in an afternoon than most bank robbers dream of in a lifetime.