Lazarus Group has long been a strong player in cybercrime, specifically targeting bitcoin exchanges and financial institutions. According to Cointelegraph, the North Korean-backed hacking organisation has stolen billions of dollars while using advanced evasion tactics.

On February 21, the organisation pulled off its largest known robbery, stealing $1.4 billion from Bybit. Blockchain investigator ZachXBT linked the attack to an $85 million breach of Phemex, as well as intrusions at BingX and Poloniex, reinforcing suspicions that North Korea’s cyber army was behind the theft.

Since 2017, Lazarus Group has stolen an estimated $6 billion from the crypto sector, according to Elliptic. A United Nations report suggests these stolen funds help finance North Korea’s weapons program.

Lazarus Group: Who’s behind it?

The US Treasury identifies Lazarus as being controlled by North Korea’s Reconnaissance General Bureau (RGB), the country’s intelligence agency. The FBI has publicly named three North Korean hackers tied to the group, also known as APT38.

• Park Jin Hyok: Charged in 2018, allegedly linked to the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist ($81 million stolen), and the 2017 WannaCry ransomware attack.
• Jon Chang Hyok & Kim Il: Indicted in 2021 for financial cybercrimes, including cryptocurrency theft and laundering operations for the North Korean regime.

Jon allegedly developed malicious crypto applications used to infiltrate financial institutions, while Kim helped coordinate crypto-related heists and fraudulent ICOs.

The Bybit hack: How it happened

Shortly before the Bybit breach, North Korea reaffirmed its plans to expand its nuclear arsenal, while the US, South Korea, and Japan called for denuclearisation. Days later, Lazarus struck.

Security analysts quickly recognised familiar tactics. “Within minutes of ETH moving out of Bybit’s wallet, we saw Lazarus’ unique fingerprint,” said Fantasy, an investigator at crypto insurance firm Fairside Network.

The hackers used a phishing attack to compromise Bybit’s security, disguising their operation with a fake version of Bybit’s wallet management system. This allowed them to transfer 401,000 Ether ($1.4 billion) to wallets under their control, according to blockchain forensics firm Chainalysis.

Once the funds were stolen, the laundering process began. Investigators found that parts of the funds were converted into Bitcoin and Dai, using decentralised exchanges, cross-chain bridges, and no-Know Your Customer (KYC) swap services.

One platform, eXch, was identified as a laundering tool but has refused to freeze the stolen assets despite industry-wide intervention.

A significant portion of the funds remains spread across multiple wallets— a common tactic used by North Korean hackers to evade detection.

Crypto theft and social engineering

Lazarus Group has escalated its attacks on the crypto industry, stealing $1.34 billion across 47 breaches in 2024, more than double the $660.5 million stolen in 2023, according to Chainalysis.

The firm reports that private key compromises accounted for 43.8% of all crypto hacks that year. This method was used in the $305-million DMM Bitcoin breach and the $600-million Ronin hack—both attributed to Lazarus.

Beyond large-scale hacks, the group also engages in long-term social engineering schemes. Microsoft Threat Intelligence has identified a North Korean subgroup called Sapphire Sleet (Bluenoroff), which targets cryptocurrency firms and corporate networks.

Posing as recruiters and venture capitalists, these operatives lure victims into fake job interviews and investment scams, deploying malware to gain access to financial accounts. Over six months, they reportedly stole over $10 million through these tactics.

Infiltrating the global tech workforce

North Korea’s cyber operations extend beyond hacking. Thousands of North Korean IT workers operate remotely across Russia, China, and other regions, using AI-generated profiles and stolen identities to land high-paying tech jobs.

Once inside companies, these workers steal intellectual property, extort employers, and funnel earnings to the regime.

In August 2024, ZachXBT exposed 21 North Korean developers earning $500,000 per month by embedding themselves in cryptocurrency startups.

A federal court in St. Louis later unsealed indictments against 14 North Korean nationals, accusing them of:

• Sanctions violations
• Wire fraud & identity theft
• Laundering millions for the North Korean regime

These individuals reportedly worked for Yanbian Silverstar and Volasys Silverstar, North Korean-controlled tech firms operating in China and Russia.

The US Department of Justice estimates that these operatives earned at least $88 million over six years, with some required to send $10,000 per month back to the North Korean government.

A persistent cyber threat

Despite global scrutiny, Lazarus Group continues to evolve its tactics, adapting to new security measures and increasing its reach into financial and tech sectors.

Billions in stolen cryptocurrency, deep infiltration of global tech firms, and an expanding network of fraudulent IT workers highlight North Korea’s growing cyber capabilities.

While US authorities have intensified efforts to crack down on these operations through federal indictments and cyber task forces, Lazarus remains one of the world’s most active cybercrime syndicates.

With an ability to shift tactics and evade detection, the threat posed by Lazarus Group is far from over.

Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

The post The rise of Lazarus Group from Sony hacks to billion dollar crypto heists appeared first on TechWire Asia.

Cybersecurity experts said North Korean hackers have stolen hundreds of millions of dollars from banks during the past three years, including a heist in 2016 at Bangladesh Bank that yielded US$81 million.

Dmitri Alperovitch, chief technology officer at cybersecurity firm CrowdStrike, told the Reuters Cyber Security Summit on Tuesday that banks were concerned Pyongyang’s hackers may become more destructive by using the same type of “wiper” viruses they deployed across South Korea and at Sony Corp’s Hollywood studio.

The North Korean government has repeatedly denied accusations by security researchers and the US government that it has carried out cyberattacks.

North Korean hackers could leverage knowledge about financial networks gathered during cyber heists to disrupt bank operations, according to Alperovitch, who said his firm has conducted “war game” exercises for several banks.

“The difference between theft and destruction is often a few keystrokes,” Alperovitch said.

Last week, BAE Systems PLC researchers told the Japan Times (via Bloomberg) that Lazarus, a hacking group linked to North Korea, may have been behind this month’s theft of US$60 million from Taiwan’s Far Eastern International Bank.

In a blog post, BAE said the malware was used to steal the money through the international Swift banking network, bore “some of the hallmarks” of Lazarus.

Lazarus and its offshoots were named the prime suspects of last year’s heist of Bangladesh’s central bank to assaults on cryptocurrency exchanges and South Korean ATMs.

Security teams at major US banks have shared information on the North Korean cyber threat in recent months, said a second cybersecurity expert familiar with those talks.

“We know they attacked South Korean banks,” said the source, who added that fears have grown that banks in the United States will be targeted next.

Tensions between Washington and Pyongyang have been building after a series of nuclear and missile tests by North Korea and bellicose verbal exchanges between US President Donald Trump and North Korean leader Kim Jong Un.

John Carlin, a former US assistant attorney general, told the summit that other firms, among them defense contractors, retailers and social media companies, were also concerned.

“They are thinking ‘Are we going to see an escalation in attacks from North Korea?'” said Carlin, chair of Morrison & Foerster international law firm’s global risk and crisis management team.

Jim Lewis, a cyber expert with Washington’s Center for Strategic and International Studies, said it is unlikely that North Korea would launch destructive attacks on American banks because of concerns about US retaliation.

Representatives of the US Federal Reserve and the Office of the Comptroller of the Currency, the top US banking regulators, declined to comment. Both have ramped up cybersecurity oversight in recent years.

Additional reporting by Reuters

The post Banks are bracing for North Korean cyberattacks appeared first on TechWire Asia.

Taiwan’s Central News Agency reported last week that while hackers sought to steal some US$60 million from the bank, only US$500,000 had yet to be recovered by the bank.

The attack – the latest in a string of hacks targeting the global SWIFT messaging system – shows North Korea continuing to try and generate funds through hacking.

British BAE Systems Plc previously linked Lazarus to last year’s US$81 million cyber heist at Bangladesh’s central bank, as have other cyber firms, including Russia’s Kaspersky Lab and California-based Symantec Corp.

The company also previously claimed Lazarus had attempted to steal money from banks in Mexico and Poland, though there is no evidence the effort succeeded.

BAE cyber-intelligence chief Adrian Nish told Reuters that he expects the group to launch more attacks.

“They are not just going to go away. They’ve built the tools. They are going to keep going back,” he said.

Nish notes, however, that the group appears to have had trouble actually pulling funds from the banking system because security controls were boosted after the massive Bangladesh heist.

Last year, a cyber heist on the Bangladesh central bank’s account at the New York Federal Reserve resulted in US$81 million being transferred to bank accounts in the Philippines, where the money was quickly withdrawn and later disappeared in the huge casino industry in the country.

A security executive with SWIFT, a Belgium-based co-operative owned by banks, last week told Reuters that hackers have continued to target the message system this year, though many attempts have been thwarted by the new security controls.

SWIFT has yet to comment on BAE’s findings.

The post North Korean ‘Lazarus’ group behind recent cyberattacks, says security firm appeared first on TechWire Asia.