State-supported North Korean hackers, using the Lazarus Group moniker, stole billions of dollars worth of crypto in less than ten years. Their operations made North Korea the fifth-biggest country in terms of Bitcoin holdings. According to the UN report, nearly half of the North Korean nuclear program’s costs are covered via stolen crypto.
Lazarus Group has been mentioned in the news often lately. According to Arkham Intelligence, as of Mar. 17, 2025, Lazarus Group is holding around $1.14 billion in BTC. Recently, Lazarus Group converted stolen ETH funds into bitcoins. The latest estimation shows that following the Bybit hack and money laundering operation, The Democratic People’s Republic of Korea is the holder of 13,518 BTC. It places the country after the U.S., China, UK, and Ukraine ahead of Bhutan and El Salvador in terms of BTC holdings.
The same day, it was reported that OKX had to suspend its DEX aggregator following consultations with authorities. Reportedly, the exchange employees detected a coordinated attempt by Lazarus Group to access the DEX aggregator. On Mar. 11, Bloomberg reported that the EU authorities were investigating the OKX web3 services in relation to the Bybit hack and a money-laundering operation associated with it.
On Mar. 10, 2025, The Socket Research Team revealed that Lazarus Group infiltrated the npm ecosystem with six malicious packages that use BeaverTail malware aimed to steal credentials, extract cryptocurrency data, compromise developer spaces, and perform other malicious activity. The packages mimic the names of popular trusted libraries. Five other packages were placed on GitHub.
Earlier, on Feb. 21, the North Korean hackers managed to conduct the biggest heist in history, according to Elliptic, stealing $1.4 billion worth of crypto from the Bybit exchange.
Lazarus Group attacks
Not much is known about the Lazarus Group. However, the group’s earliest cyber crimes date back to 2009. The group is acting as an advanced persistent threat (alternatively, Lazarus Group is known as APT38). It undermines global cybersecurity while using the stolen assets to compensate for the poor economic state of North Korea mangled by sanctions.
In the first years, the group was targeting major banks. In 2017, hackers demanded a BTC ransom during the massive WannaCry attack attributed to Lazarus Group. The same year, Lazarus shifted its focus to the crypto sector. The first targets were crypto exchanges in the U.S. and South Korea.
In a string of 2017 operations, hackers stole crypto from mining power marketplace Nicehash and crypto exchanges Bithumb and Youbit. In 2022, Lazarus hackers stole $615 million worth of crypto from the Ronin Network. Over 17% of all crypto stolen in 2023 is attributed to Lazarus hacks. WarziX and Bybit were the latest large-scale crypto exchange hacks carried out by Lazarus Group.
What places Lazarus Group in a special position is that this unit is supported by the government, which is in opposition to most countries. The institutions and individuals affected by the Lazarus Group attacks were the U.S., China, Russia, South Korea, Vietnam, Kuwait, and many other countries.
The outright criminal actions of this group do not result in prosecution in the homeland of these hackers, as the government seemingly supports them. Considering the fact that the Internet in North Korea is under state control, there is no chance that the hacker group’s activity is not approved or sponsored by the government.
Compared to Moscow, Pyongyang cares less about its international reputation. This fact gives its hackers carte blanche and allows them to act even more recklessly. It is reported that the hackers are trained in China and at several universities in North Korea.
Some of the attacks (such as the WannaCry attack of 2017) are characterized by little financial motivation, while rather being aimed at invoking panic and chaos in foreign countries. However, later attacks on crypto platforms were associated with large amounts of money being stolen. Most probably, this money is supposed to patch the holes in the North Korean budget.
The group consists of several subunits of different skills. According to the NCC Group report, the hackers work methodically, using a wide range of tools, and take their time, prioritizing staying undetected for as long as possible. Mostly, Lazarus Group leans on social engineering tactics and large-scale phishing campaigns.
Cryptocurrency and the North Korean nuclear program
According to the UN report, around half of North Korea’s foreign currency income is generated via attacks by government-backed hackers. These funds are allegedly used to fund ballistic missile development. One of the anonymous sources referred to in the report said that 40% of weapons of mass destruction development is funded via cybercrime money.
North Korea continues to test its ballistic missiles. In 2023, it tested Hwasong18, a rocket capable of carrying several warheads and flying over 15,000 kilometres. 2022 was a record-breaking year in terms of rocket launches. The number was close to 90. The latest nuclear bomb testing took place in 2017. The country holds between 50 and 100 bombs.
Last year, American journalist Annie Jacobsen released the book Nuclear War: A Scenario. The book is based on interviews with retired U.S. officers who are knowledgeable about the U.S. nuclear protocol. It describes what happens if North Korea strikes the U.S. with a nuclear bomb. Jacobsen believes that in three stages, 24 minutes each, all the nuclear powers will exchange strikes, effectively sending humanity to near-total extinction that will take several years in the harsh conditions of famine and nuclear winter.
Apparently, that’s not something that Satoshi Nakamoto has dreamed of while creating Bitcoin. Unfortunately, prosecution of Lazarus Group hackers is a tough task, considered nearly impossible. Only around half a dozen individuals have been indicted throughout the years, while the total staff may include over a thousand hackers, with new members getting trained all the time.
DW cites the words of an analyst from the Brave New Coin company, Aditya Das, who said:
“If possible, it would be good to see the actual criminals prosecuted as opposed to the applications they use. But we know how good North Korea is at hiding its tracks and denying hacking. So for now, if prosecution is not possible, then prevention is the best option.”
Most probably, in this case, prevention means limiting the privacy and anonymity of the DeFi and web3 sectors in order to have more control over the funds managed by hackers. We know that an anonymous platform, eXch, didn’t immediately react to Bybit’s request to stop hackers from cashing out, allowing them to funnel $90 million in crypto before complying.
The later focus on crypto stresses that this sector is handy for Pyongyang in amassing funds. Its trained hackers are savvy enough to steal huge amounts of money through crypto. Most experts believe Lazarus Group is not going to stop anytime soon. These new challenges require new solutions and finding a better balance between privacy and crime prevention.
