Blog

Lazarus Group, How North Korea Stole $3.8B in Crypto

Early Thunder Research|
lazarus-groupnorth-koreabybit-hackronin-bridgecrypto-securityexchange-hackbridge-exploitdmm-bitcoinwazirxmarket-intelligencerisk-management

The biggest security threat in crypto is not smart contract bugs. It is a state-sponsored hacking organization operating out of Pyongyang under the direct control of the North Korean government. Lazarus Group has been active since at least 2009, but its pivot to cryptocurrency theft around 2016 turned it into the most dangerous adversary in the history of financial crime.

This is not speculation. The US Treasury, FBI, CISA, and multiple UN Security Council reports have attributed these hacks with high confidence. The cryptocurrency stolen funds North Korea's nuclear weapons and ballistic missile programs. We track Lazarus Group attacks as part of our security monitoring because every major hack creates market-wide contagion and because understanding their methods is prerequisite to defending against them.

The Lazarus Ledger: $3.8 Billion and Climbing

Here is the documented attack timeline, in order of impact:

Bybit — $1.4 Billion (February 21, 2025) This is the largest single hack in the history of cryptocurrency. Lazarus Group compromised the Safe{Wallet} multisig user interface — not Bybit's systems directly, but the third-party signing interface used by Bybit's cold storage operations. When Bybit signers approved what appeared to be a standard internal transfer to warm storage, they were signing a malicious transaction that had been injected into the UI. The transaction transferred 401,347 ETH to attacker-controlled addresses. Bybit CEO Ben Zhou confirmed the hack within hours, committed to covering all losses from exchange capital and emergency loans, and honored every withdrawal. The exchange survived. The funds did not.

Ronin Network/Axie Infinity — $625 Million (March 23, 2022) The Ronin bridge, which connected Axie Infinity's gaming economy to Ethereum, was compromised through a social engineering attack targeting Sky Mavis employees. Attackers gained control of 5 of 9 validator nodes — one threshold short of the required 5-of-9 for transaction approval, but an employee approval accidentally granted the attackers a sixth signature. 173,600 ETH and 25.5 million USDC were stolen. The hack went undetected for 6 days until a user tried to withdraw funds and couldn't.

DMM Bitcoin — $305 Million (May 2024) Japanese exchange DMM Bitcoin lost 4,502.9 BTC in a hack attributed to Lazarus by Japan's National Police Agency and the FBI. The mechanism is consistent with the Bybit attack: compromise of the signing environment rather than the exchange's core systems. DMM Bitcoin was unable to recover and shut down operations in December 2024.

WazirX — $234 Million (July 2024) Indian exchange WazirX lost $234 million from its Safe multisig wallet. The hack used the same Safe{Wallet} compromise vector later seen at Bybit — UI injection to manipulate what signers see versus what they're actually signing. The attack exposed a systemic vulnerability in how multisig wallets present transaction data to human signers.

Harmony Horizon Bridge — $100 Million (June 2022) The Harmony blockchain's cross-chain bridge was compromised through private key theft targeting the bridge's 2-of-5 multisig wallet. Lazarus only needed 2 of 5 keys to drain the bridge. The low threshold made the attack straightforward once 2 validators were compromised.

The combined documented total for Lazarus Group attacks exceeds $3.8 billion. Annual crypto theft statistics for all actors: 2022 was $3.8 billion industrywide (Lazarus contributed over $1.7B that year alone), 2023 declined to $1.7 billion, 2024 recovered to $2.2 billion, and 2025 is tracking above $2.1 billion with the Bybit hack alone accounting for two-thirds of that figure.

How Lazarus Operates: The Attack Methodology

Lazarus does not rely primarily on smart contract exploits. Their preferred vector is human beings. The attack chain typically looks like this:

Step 1 — Target selection: Lazarus identifies cryptocurrency firms with high-value hot or warm wallets. They prioritize targets with large custodied balances, third-party signing dependencies, and insufficient internal security review processes.

Step 2 — Social engineering: Fake recruiters approach employees at target firms on LinkedIn with lucrative job offers. The outreach appears legitimate — complete with professionally designed job descriptions, video calls with fake interviewers, and detailed compensation packages. During the process, the target is asked to download a "technical assessment" or "portfolio review" document that contains malware.

Step 3 — Initial access: Once malware is installed on an employee's machine, Lazarus begins lateral movement through the organization's internal systems. They may remain dormant for weeks or months, mapping internal infrastructure and gaining access credentials.

Step 4 — Signing environment compromise: The target is typically the signing interface or process used for large transactions. Rather than attacking the blockchain directly, Lazarus attacks the human layer — what operators see when they're asked to approve a transaction.

Step 5 — Execution: A malicious transaction is substituted for a legitimate one at the moment of signing. Human signers see what appears to be a normal internal transfer. The actual transaction sends funds to attacker wallets.

Step 6 — Laundering: Stolen funds move through Tornado Cash (Ethereum mixer), cross-chain bridges (to move ETH into less traceable assets), peer-to-peer OTC markets in jurisdictions with limited KYC enforcement, and conversion into assets with higher fungibility.

Why Bridges Are the Primary Attack Surface

Of the major Lazarus attacks, four of five involved either a cross-chain bridge or a signing interface used to manage bridge or custodial operations. The pattern is deliberate. Bridges concentrate enormous value in a single point of failure — all assets being transferred between chains must pass through the bridge contract, which requires a set of validator signatures to approve movements.

A bridge with a 2-of-5 validator structure needs only 2 compromised validators for full control. A bridge with 5-of-9 needs 5. These thresholds were set for operational convenience, not adversarial resistance against a nation-state actor willing to conduct multi-month social engineering campaigns.

The Bybit attack refined the model: rather than compromising validators directly, compromise the interface they use. The result is identical — signers approve malicious transactions — but the attack surface is a third-party software vendor rather than the target firm itself.

The North Korea Connection: Where the Money Goes

The UN Panel of Experts documented in 2024 that North Korea has used cryptocurrency theft to fund between 40–50% of its foreign currency requirements for weapons of mass destruction development. The $3.8 billion stolen is not abstract crime — it is converted into hard currency and directed at nuclear warheads, ICBM guidance systems, and submarine-launched ballistic missile programs.

US Treasury OFAC designations have named Lazarus Group, its sub-unit Bluenoroff, and dozens of affiliated wallets. These designations make it illegal for US persons to transact with known Lazarus wallets. The designations have had limited effect on the laundering operations because the volume of blockchain transactions makes real-time interdiction impractical.

Defense: What Actually Works

Hardware wallets with physical confirmation requirements prevent signing environment compromise attacks — the malicious transaction would still need to be approved by a human touching the hardware device, which requires the attacker to compromise the device itself, a significantly higher bar.

Withdrawal address whitelisting restricts where funds can go regardless of who approves the transaction. Even a fully compromised signing environment cannot send funds to non-whitelisted addresses.

Multi-sig with hardware keys from geographically separated signers across multiple organizations (not the same firm) eliminates the single social engineering vector.

Transaction simulation and human-readable display of actual transaction effects — not just the parameters — would have allowed Bybit signers to see that the contract logic had been modified to transfer funds to external addresses.

None of these are novel. All of them would have prevented at least some of the $3.8 billion in documented losses. The gap between available defenses and deployed defenses remains the primary vulnerability in the industry.

Author: Early Thunder Research Data sources: FBI public statements, US Treasury OFAC designations, UN Security Council Panel of Experts reports, Chainalysis 2025 Crypto Crime Report, Bybit incident post-mortem, on-chain analysis Last updated: 2026-05-21

This content is for informational purposes only and does not constitute financial advice.

Want more Early Thunder research?

Get Premium Access