In This Article
- What is the Lazarus Group and When Did It Emerge?
- What Major Attacks is The Group Behind?
- How Much Damage Has The Lazarus Group Done To The Crypto industry?
- Lazarus Group is Really Connected To The Leadership of The DPRK (North Korea)?
- Are The Stolen Funds Going To The Nuclear Program?
- Lazarus Group - One of A Kind?
What is the Lazarus Group and When Did It Emerge?
Lazarus Group is the most common designation in the press of a group of hackers, which is probably directed from the DPRK. This name is unofficial, and other names can be seen in various documents;
Thus, in reports of the U.S. Agency for Cybersecurity and Infrastructure Protection the group appears as Hidden Cobra, in Microsoft reports - ZINC and Diamond Sleet, the hackers themselves prefer "heroic" aliases like Guardians of Peace.
Information about the Lazarus Group is extremely scarce, the size and composition of the organization is unknown. U.S. law enforcement officials believe that its leader is a DPRK citizen, Park Jin-hyok. FBI officers determined that he lived in China for at least eight years, where he was engaged in software development. Intercepted emails show that in 2011, Park told North Korean authorities that he wanted to return to his home country for personal reasons.
"Park Jin-hyok is an alleged state-sponsored North Korean programmer, a member of an alleged criminal conspiracy responsible for some of the most costly computer hacks in history. His attacks crippled computer systems and resulted in the theft of funds and virtual currencies from multiple victims. Pak is believed to have been involved in a large-scale criminal conspiracy carried out by a group of hackers affiliated with the Intelligence Directorate of the DPRK General Staff. The group included North Korean hacker organizations, which some private cybersecurity firms refer to as Lazarus Group and Advanced Persistent Threat 38 (APT38)," Pak's card on the FBI's website reads.
According to South Korean media, the state program, of which Lazarus Group became a part, was launched no later than June 2009. At that time, the first major attacks were recorded, the source of which was believed to be the DPRK. The attackers targeted government resources, including the official site of the Blue House;
For a long time, the Lazarus Group's main target was South Korean information infrastructure. Over the years, however, the group's activities have rapidly expanded beyond the regional conflict between Pyongyang and Seoul that has lasted since 1950.
What Major Attacks is The Group Behind?
The action that made Lazarus Group world famous was the November 2014 attack on the computer systems of Sony Pictures Entertainment. The attackers temporarily paralyzed the studio. Its employees were unable to use their work computers, which displayed a "screen of death" with an image of a skeleton and a "warning" from Guardians of Peace.
For several days, the company was unable to conduct financial transactions, causing movie production to be suspended. The attackers posted the personal data of seven thousand Sony Pictures employees, including information on income, personal correspondence and passwords to social networks. In addition, copies of five of the company's films appeared on the Internet, two of which had not yet been released.
The Western press believed that the attack was political in nature and linked it to the filming of Seth Rogen's satirical movie "Interview," in which North Korean leader Kim Jong-un was the main anti-hero and object of ridicule.
In February 2016, the Bangladesh Central Bank was attacked. Lazarus Group exploited a vulnerability in the SWIFT system to make transfers worth about $1 billion from the South Asian republic's government account at the Federal Reserve Bank of New York. The criminals were able to withdraw $81 million until security officers at the bank discovered and stopped the suspicious activity;
Lazarus Group members soon began to demonstrate even greater ingenuity and technical awareness. As early as May 2017, they attacked hundreds of thousands of computers around the world using the WannaCry ransomware virus. The malware affected devices running on the Windows operating system and demanded a $300 ransom in bitcoins.
The attack affected not only individual citizens: in some European countries the work of medical institutions was paralyzed, production at the French car factory Renault and Japanese Nissan stopped. The hackers managed to create such a dangerous virus, having previously stolen the development of ANB.
How Much Damage Has The Lazarus Group Done To The Crypto industry?
With the proliferation of digital assets, North Korean hackers have turned their attention to this segment of finance. In 2017 and 2018 alone, they hacked 14 crypto exchanges and exchanges, embezzling a total of $882 million in assets. At the same time, the Lazarus Group learned how to attack not only entire platforms, but also individual users.
In the spring of 2022, hackers hacked the Ronin sidechain, stealing about $620 million worth of crypto assets from users of the Axie Infinity game. In the summer of the same year, Lazarus Group attacked the Horizon protocol crosschain bridge Harmony and the decentralized wallet Atomic Wallet. The combined damage from the two attacks is estimated at $135 million.
Recorded Future analysts calculated that North Korean cybercriminals stole $1.7 billion in digital assets in 2023 alone, and those numbers continue to steadily rise.
Finally, on February 21, 2025, the largest hack in the history of the crypto industry so far occurred, targeting the Bybit exchange. Hackers gained access to one of the platform's cold wallets, from which they withdrew ~$1.4 billion worth of Ethereum. Soon, onchain analyst ZachXBT "provided irrefutable evidence" of Lazarus Group's involvement in the incident.
The reputational losses that the actions of such groups bring to the crypto industry are no less serious.
For example, the U.S. authorities used Lazarus Group activity as a reason to impose sanctions against Tornado Cash, Blende, and Sinbad mixers, which hackers allegedly used to launder stolen funds. However, such restrictions do not prevent attackers from quickly finding alternative routes to withdraw funds.
The Bybit case also undermines trust in centralized exchanges. Hackers, no matter what structure they belong to, have demonstrated the ability to successfully attack not only local exchanges and small projects, but also top platforms with "green" security scoring.
Lazarus Group is Really Connected To The Leadership of The DPRK (North Korea)?
There is no doubt about it. Given the highly repressive nature of the North Korean regime, it is inconceivable that such complex operations could be carried out without state involvement.
Internet access in the DPRK is limited, and only privileged citizens can freely use it: members of the ruling Kim dynasty and their entourage, as well as managers and employees of enterprises of strategic importance. The rest of us have to make do with the isolated Kwangmen network, which contains only information approved by censorship.
According to intelligence agencies, the main center of North Korean cybercrime is Lab 110, a military institute directly under the State Council. - a military institute that reports directly to the State Council headed by Kim Jong-un. However, North Korea clearly lacks its own capacity to implement the program. As confirmed by Russian Korean scholar Andrei Lankov, "strike" groups of North Korean hackers are based outside the DPRK:
"They have some pretty good training centers. Technically they have a good level. By the way, these centers are not physically located in Korea. For a very long time, one of the largest centers was located in a hotel in the [Chinese] city of Shenyang, where they [hackers] lived, going out into the city only under the supervision of a special officer. [...] I believe that even now such bases continue to exist in different countries of the world - mainly in East and Southeast Asia;
This version is confirmed by FBI reports indicating the presence of Lazarus Group members at least in China, and numerous statements of South Korean law enforcement officials.
Are The Stolen Funds Going To The Nuclear Program?
This is quite likely, but there is no direct evidence.
The DPRK is the only state that refuses to cooperate with IAEA (International Atomic Energy on principle: back in 2008 Pyongyang officially notified that it "no longer needs the Agency's surveillance services" at nuclear power facilities. Therefore, it is impossible not only to establish the sources of funding for this sector, but even to reliably determine the current state of Pyongyang's nuclear program;
Nevertheless, there are regular reports in the press that North Korean cybercriminals are busy precisely looking for funds to develop weapons of mass destruction.
In February 2024, Reuters published excerpts from a confidential report by the UN Sanctions Committee.
The document claims that North Korean hackers are suspected of at least 58 attacks that have stolen about $3 billion at the time of publication.The authors of Microsoft's Cybersecurity Report for 2024 cite similar figures.
By comparison, according to estimates by ICAN (International Campaign to Abolish Nuclear Weapons), Pyongyang spent $667 million on its nuclear program in 2020. Be that as it may, laundering and the subsequent conversion of stolen funds into fiat requires massive amounts of time and other resources, and the songgun principle fundamental to the DPRK's domestic politics precludes dependence on the additional (and extremely risky) search for money for the military.
Arguably, what should be far more troubling is not how the Lazarus Group spends the stolen funds, but rather the group's non-finance-related activities. As indicated by Bitdefender Labs analysts, members of the organization have been targeting employees in the nuclear, aviation, and other sensitive industries in an effort to gain sensitive information and access to corporate accounts.
It appears that hackers are not making exceptions in these operations, even for formal allies of the North Korean state. According to information from Reuters, in late 2021, Lazarus Group hacked into the computer networks of NPO Mashinostroyenia, located in Reutov near Moscow.
The unauthorized penetration was detected and stopped by employees of the enterprise only in May 2022. According to the agency's journalists, the hackers were gathering information necessary for the production of an intercontinental ballistic missile.
Lazarus Group - One of A Kind?
In fact, even the Lazarus Group itself cannot be spoken of as a single entity. In all likelihood, it consists of multiple units responsible for different targets and types of attacks. In parallel, Kimsuky and Ricochet Chollima groups operate in the same DPRK, engaged in industrial espionage and destabilization of South Korean power grids.
The Lazarus Group is generally categorized as a APT. Similar structures exist in many states with non-democratic regimes: China (Red Apollo, Double Dragon, Numbered Panda and many others), Iran (Charming Kitten, Helix Kitten, Elfin Team), Russia (Cozy Bear, Fancy Bear, Primitive Bear, and others), and Saudi Arabia (OurMine).
However, the sharply negative image of the DPRK as "the last totalitarian regime" and Pyongyang's principled refusal of any form of diplomatic dialog and international cooperation make the Lazarus Group a kind of symbol of "absolute evil". Such an attitude inevitably results not only in justified accusations against cybercriminals as agents of state terrorism, but also in all sorts of manipulations designed, among other things, to discredit the crypto-industry.
