Cyber Breaches

Lazarus Group is the umbrella designation for cyber units operated by North Korea's Reconnaissance General Bureau (RGB) — the country's primary intelligence service. It is one of the few state-sponsored actors that routinely pursues direct financial gain, both to fund the DPRK regime under sanctions and to finance its weapons programs.

Across roughly two decades, Lazarus has demonstrated an unusually broad operational portfolio: destructive wipers (Sony Pictures, 2014), bank-network theft via SWIFT (Bangladesh Bank, 2016), global ransomware (WannaCry, 2017), and — since 2018 — an aggressive focus on cryptocurrency theft. UN expert reports estimate North Korean crypto theft proceeds between 2017 and 2023 at over $3 billion.

Operating method

The current Lazarus playbook against crypto entities is unusually consistent:

Reconnaissance via LinkedIn / GitHub to identify engineers at exchanges, custody providers, and DeFi protocols.
Fake job offers — typically remote roles with attractive salaries — to lure engineers into video interviews and "coding challenges."
Malicious dependencies or interview tooling delivered during the assessment phase, dropping custom backdoors (AppleJeus, recently the FudModule rootkit) on engineering laptops.
Privileged access escalation to signing keys, wallet infrastructure, or smart-contract upgrade keys.
Theft and laundering via Tornado Cash (sanctioned by OFAC in 2022 specifically because of Lazarus use), cross-chain bridges, and OTC desks.

Why it matters

Lazarus is the canonical example of state-sponsored actors operating for financial gain at scale. Its persistence, technical sophistication, and willingness to absorb attribution costs make it nearly unique among APTs. Defensive guidance from CISA, FBI, and Treasury (alert AA22-108A and successors) is the most operationally specific public material available on a state actor.

Related incidents

Supply chainstolenFebruary 21, 2025

Bybit cold wallet heist

Lazarus operators substituted the implementation contract during a routine Safe multisig transaction, draining ~$1.5 billion in ETH and staked-ETH derivatives from Bybit's Ethereum cold wallet — the largest single cryptocurrency theft in history.

Victim: Bybit
Loss: $1.50B

private-keypartially-recoveredMarch 23, 2022

Ronin Bridge heist

Lazarus operators compromised five of nine Ronin validator nodes and forged withdrawal signatures, draining 173,600 ETH and 25.5 million USDC (~$625M) — the largest cryptocurrency theft on record at the time.

Victim: Sky Mavis / Axie Infinity / Ronin Network
Loss: $625.0M

private-keystolenJanuary 26, 2018

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time — later attributed to North Korea's Lazarus Group.

Victim: Coincheck Inc.
Loss: $530.0M

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

EspionagestolenFebruary 4, 2016

Bangladesh Bank SWIFT heist

Lazarus operators sent fraudulent SWIFT instructions through the New York Fed to wire $951 million out of Bangladesh Bank's reserve account. A typo on one transfer stopped $850M; $81M still escaped to Philippine casinos.

Victim: Bangladesh Bank
Loss: $81.0M

WiperResolvedNovember 24, 2014

Sony Pictures Entertainment hack

A North Korean wiper attack tied to the release of 'The Interview' destroyed roughly half of Sony Pictures' IT estate and leaked terabytes of internal documents, emails, and unreleased films.

Victim: Sony Pictures Entertainment
Loss: $100.0M
Records: 1.0M