State-Supported Lazarus Group: An Overview of North Korean Cybercrime Activities

Over the past decade, the North Korean hackers known as the Lazarus Group have orchestrated operations that led to the theft of billions of dollars in cryptocurrency. These fraudulent activities have positioned North Korea as the fifth-largest holder of Bitcoin globally. Alarmingly, a United Nations report indicates that nearly half of the funding for North Korea’s nuclear program comes from profits derived from stolen cryptocurrency.

The Lazarus Group has gained significant media attention recently. As reported by Arkham Intelligence on March 17, 2025, the group now possesses approximately $1.14 billion in Bitcoin (BTC). Following recent developments, including a hack of the Bybit exchange and subsequent money laundering efforts, North Korea’s total Bitcoin holdings have escalated to a striking 13,518 BTC. This remarkable figure places the nation behind only the U.S., China, the UK, and Ukraine in BTC ownership, surpassing the holdings of countries such as Bhutan and El Salvador.

Recent Developments and Investigations

In a concerning twist, it was reported that on the same day as the aforementioned Bitcoin holdings revelation, OKX—a prominent cryptocurrency exchange—was compelled to suspend its decentralized exchange (DEX) aggregator after discussions with regulatory authorities. Employees of the exchange identified a synchronized effort by the Lazarus Group to breach the DEX aggregator system. Bloomberg further reported on March 11 that EU authorities are actively investigating the web3 services provided by OKX in connection with the Bybit hack and the associated money-laundering activities.

Adding to the gravity of the situation, on March 10, 2025, The Socket Research Team disclosed that the Lazarus Group had infiltrated the npm ecosystem through six malicious packages. These packages, utilizing BeaverTail malware, were designed to pilfer credentials, extract cryptocurrency data, and compromise developer environments. The malicious packages cleverly adopted the names of well-known trusted libraries, with five more packages appearing on GitHub, illustrating the group’s persistent and innovative tactics in cybercrime.

Looking back, on February 21, North Korean hackers executed what is now considered one of the largest cryptocurrency heists in history, stealing an astonishing $1.4 billion from the Bybit exchange, as per Elliptic’s analysis.

Understanding the Lazarus Group’s Operations

While not much detailed information exists about the Lazarus Group, its history of cybercrime extends back to 2009. The group is recognized as an advanced persistent threat (APT), often referred to by the name APT38. Their activities pose significant risks to global cybersecurity, as they leverage stolen assets to stabilize the North Korean economy, heavily impacted by international sanctions.

Initially, the group targeted large banking institutions. However, following the notorious WannaCry ransomware attack in 2017, for which they demanded a ransom in BTC, Lazarus Group shifted its focus toward the burgeoning crypto sector. Early targets included crypto exchanges primarily situated in the U.S. and South Korea.

A spate of operations in 2017 saw hackers pilfer funds from mining power marketplace Nicehash, as well as two cryptocurrency exchanges, Bithumb and Youbit. More recently, in 2022, they executed a breathtaking theft of $615 million from the Ronin Network. Disturbingly, over 17% of all cryptocurrency heists recorded in 2023 have been attributed to the Lazarus Group’s actions. Their most recent high-profile incidents involved catastrophic hacks on crypto exchanges WarziX and Bybit.

What distinctly positions Lazarus Group is its backing from the North Korean government, differentiating it from typical criminal organizations globally. The extensive reach of their cyber-intrusions has targeted institutions and individuals across multiple nations, including the U.S., China, Russia, South Korea, Vietnam, Kuwait, and many others.

The criminal activities committed by Lazarus Group perpetrators go unpunished in North Korea, where governmental support is evident. With the North Korean internet being firmly controlled by the state, it is improbable that the group’s ventures occur without government approval or sponsorship. Unlike other nations, Pyongyang appears to have few qualms about international scrutiny of its cyber activities, providing its hackers with the freedom to act with impunity. Reports indicate that these criminals receive training in China and at various institutions within North Korea.

Some of their earlier cyber attacks, such as the WannaCry incident, lacked purely financial motives, seeking instead to instigate panic in foreign nations. However, subsequent assaults on cryptocurrency platforms have been primarily driven by the substantial financial gains they offer, likely aimed at replenishing the North Korean regime’s budget.

Lazarus Group comprises multiple subunits, each with varying expertise. A report from NCC Group highlighted their methodical approach, employing an arsenal of sophisticated tools while prioritizing stealth, allowing them to evade detection for extended periods. Their preferred tactics include social engineering and large-scale phishing campaigns directed at unsuspecting victims.

Cryptocurrency Funding and the North Korean Nuclear Endeavors

A United Nations report reveals that nearly 50% of North Korea’s foreign currency earnings stem from cyber-attacks orchestrated by government-sponsored hackers. Reports suggest that these illicit funds are funneled into the development of ballistic missiles and other weapons programs. One anonymous source cited in the report indicated that around 40% of the nation’s development efforts concerning weapons of mass destruction rely on proceeds from cybercrime.

Despite ongoing tensions, North Korea continues its ballistic missile tests unfazed. In 2023, the nation tested the Hwasong-18 rocket capable of delivering multiple warheads and reaching over 15,000 kilometers in flight. The previous year set a record for the number of missile launches, totaling nearly 90. North Korea’s last nuclear bomb test occurred in 2017, and the country is estimated to possess between 50 and 100 nuclear warheads.

In a relevant literary contribution, American journalist Annie Jacobsen published a book titled *Nuclear War: A Scenario*, based on interviews with retired U.S. military officers. The book contemplates a chilling hypothetical scenario wherein North Korea strikes the U.S. with nuclear weapons, suggesting a rapid exchange of nuclear strikes among nations that could lead to near-total human extinction, ushering in years of famine and a catastrophic nuclear winter.

The Challenge of Prosecution and Prevention

It is evident that the reality of prosecuting members of the Lazarus Group presents monumental challenges and is often deemed improbable. Historically, only a handful of individuals have faced indictment, while the total number of hackers in this group could exceed one thousand, with new recruits continuously being trained. According to an analyst from Brave New Coin, Aditya Das, “If possible, it would be good to see the actual criminals prosecuted as opposed to the applications they use. But we know how good North Korea is at hiding its tracks and denying hacking. So, for now, if prosecution is not possible, then prevention is the best option.”

The concept of prevention, therefore, may necessitate the curtailing of privacy and anonymity across the decentralized finance (DeFi) and web3 sectors, ensuring greater oversight of funds that are susceptible to hacker manipulation. A notable incident highlighting this need involved the anonymous platform eXch, which failed to respond promptly to Bybit’s request to prevent hackers from liquidating stolen assets, ultimately allowing the culprits to funnel $90 million in crypto before finally complying.

The focus on cryptocurrency by the Lazarus Group underscores its utility to the North Korean regime in amassing funds. Armed with advanced skills and techniques, their hackers are adept at extracting vast sums of money through digital currencies. Most cybercrime experts speculate that the activities of the Lazarus Group will persist into the foreseeable future. These evolving challenges necessitate innovative solutions and improved measures to strike a delicate balance between privacy rights and effective crime prevention.

How AI legalese decoder Can Assist

In the face of complex legal issues surrounding cryptocurrency and the threats posed by groups such as Lazarus, utilizing AI tools like the AI legalese decoder can be invaluable. This innovative platform helps individuals and organizations navigate the intricacies of legal jargon, enabling clearer comprehension of rights, responsibilities, and legal options. By simplifying legal documents, AI legalese decoder empowers victims of cybercrime and stakeholders in the cryptocurrency sector to better understand the legal landscape at play, making informed decisions for both defensive and proactive measures.