- Lazarus Group stole $1.4 billion from Bybit.
- Investigators linked the attack to other recent breaches.
Lazarus Group has long been a strong player in cybercrime, specifically targeting bitcoin exchanges and financial institutions. According to Cointelegraph, the North Korean-backed hacking organisation has stolen billions of dollars while using advanced evasion tactics.
On February 21, the organisation pulled off its largest known robbery, stealing $1.4 billion from Bybit. Blockchain investigator ZachXBT linked the attack to an $85 million breach of Phemex, as well as intrusions at BingX and Poloniex, reinforcing suspicions that North Korea’s cyber army was behind the theft.
Since 2017, Lazarus Group has stolen an estimated $6 billion from the crypto sector, according to Elliptic. A United Nations report suggests these stolen funds help finance North Korea’s weapons program.
Lazarus Group: Who’s behind it?
The US Treasury identifies Lazarus as being controlled by North Korea’s Reconnaissance General Bureau (RGB), the country’s intelligence agency. The FBI has publicly named three North Korean hackers tied to the group, also known as APT38.
- Park Jin Hyok: Charged in 2018, allegedly linked to the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist ($81 million stolen), and the 2017 WannaCry ransomware attack.
- Jon Chang Hyok & Kim Il: Indicted in 2021 for financial cybercrimes, including cryptocurrency theft and laundering operations for the North Korean regime.
Jon allegedly developed malicious crypto applications used to infiltrate financial institutions, while Kim helped coordinate crypto-related heists and fraudulent ICOs.
The Bybit hack: How it happened
Shortly before the Bybit breach, North Korea reaffirmed its plans to expand its nuclear arsenal, while the US, South Korea, and Japan called for denuclearisation. Days later, Lazarus struck.
Security analysts quickly recognised familiar tactics. “Within minutes of ETH moving out of Bybit’s wallet, we saw Lazarus’ unique fingerprint,” said Fantasy, an investigator at crypto insurance firm Fairside Network.
The hackers used a phishing attack to compromise Bybit’s security, disguising their operation with a fake version of Bybit’s wallet management system. This allowed them to transfer 401,000 Ether ($1.4 billion) to wallets under their control, according to blockchain forensics firm Chainalysis.
Once the funds were stolen, the laundering process began. Investigators found that parts of the funds were converted into Bitcoin and Dai, using decentralised exchanges, cross-chain bridges, and no-Know Your Customer (KYC) swap services.
One platform, eXch, was identified as a laundering tool but has refused to freeze the stolen assets despite industry-wide intervention.
A significant portion of the funds remains spread across multiple wallets— a common tactic used by North Korean hackers to evade detection.
Crypto theft and social engineering
Lazarus Group has escalated its attacks on the crypto industry, stealing $1.34 billion across 47 breaches in 2024, more than double the $660.5 million stolen in 2023, according to Chainalysis.
The firm reports that private key compromises accounted for 43.8% of all crypto hacks that year. This method was used in the $305-million DMM Bitcoin breach and the $600-million Ronin hack—both attributed to Lazarus.
Beyond large-scale hacks, the group also engages in long-term social engineering schemes. Microsoft Threat Intelligence has identified a North Korean subgroup called Sapphire Sleet (Bluenoroff), which targets cryptocurrency firms and corporate networks.
Posing as recruiters and venture capitalists, these operatives lure victims into fake job interviews and investment scams, deploying malware to gain access to financial accounts. Over six months, they reportedly stole over $10 million through these tactics.
Infiltrating the global tech workforce
North Korea’s cyber operations extend beyond hacking. Thousands of North Korean IT workers operate remotely across Russia, China, and other regions, using AI-generated profiles and stolen identities to land high-paying tech jobs.
Once inside companies, these workers steal intellectual property, extort employers, and funnel earnings to the regime.
In August 2024, ZachXBT exposed 21 North Korean developers earning $500,000 per month by embedding themselves in cryptocurrency startups.
A federal court in St. Louis later unsealed indictments against 14 North Korean nationals, accusing them of:
- Sanctions violations
- Wire fraud & identity theft
- Laundering millions for the North Korean regime
These individuals reportedly worked for Yanbian Silverstar and Volasys Silverstar, North Korean-controlled tech firms operating in China and Russia.
The US Department of Justice estimates that these operatives earned at least $88 million over six years, with some required to send $10,000 per month back to the North Korean government.
A persistent cyber threat
Despite global scrutiny, Lazarus Group continues to evolve its tactics, adapting to new security measures and increasing its reach into financial and tech sectors.
Billions in stolen cryptocurrency, deep infiltration of global tech firms, and an expanding network of fraudulent IT workers highlight North Korea’s growing cyber capabilities.
While US authorities have intensified efforts to crack down on these operations through federal indictments and cyber task forces, Lazarus remains one of the world’s most active cybercrime syndicates.
With an ability to shift tactics and evade detection, the threat posed by Lazarus Group is far from over.
Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
