From Sony to Bybit: How Lazarus Group became crypto’s supervillain

Lazarus Group isn’t an occasional player in the hacking world; it is frequently the prime suspect in major crypto heists. The North Korean state-backed group has siphoned billions from exchanges, tricked developers, and bypassed even the industry’s most sophisticated security measures.

On Feb. 21, it pulled off its biggest score yet: stealing a record-breaking $1.4 billion from cryptocurrency exchange Bybit. Crypto detective ZachXBT identified Lazarus as the prime suspect after linking the Bybit attack to the $85-million hack on Phemex. He further connected the hackers to breaches at BingX and Poloniex, adding to the growing body of evidence pointing to North Korea’s cyber army.

Since 2017, Lazarus Group has stolen an estimated $6 billion from the crypto industry, according to security firm Elliptic. A United Nations Security Council study reports that these stolen funds are believed to bankroll North Korea’s weapons program.

One of the most prolific cybercriminal organizations in history, the group’s suspected operatives and methods reveal a highly sophisticated cross-border operation working in service of the regime. Who’s behind Lazarus, and how did it pull off the Bybit hack? And what other methods has it employed that pose ongoing threats?

The who’s who of Lazarus Group

The US Treasury claims that Lazarus is controlled by North Korea’s Reconnaissance General Bureau (RGB), the regime’s primary intelligence agency. Three suspected North Korean hackers have been publicly named by the Federal Bureau of Investigations (FBI) as members of Lazarus (also known as APT38). 

In September 2018, the FBI charged Park Jin Hyok, a North Korean national and a suspected member of Lazarus, with some of the most infamous cyberattacks in history. Park, who allegedly worked for the Chosun Expo Joint Venture, a North Korean front company, is linked to the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist ($81 million stolen). 

Park has also been tied to the 2017 WannaCry 2.0 ransomware attack, which crippled hospitals, including the UK’s National Health Service. Investigators traced Park and his co-conspirators through shared malware code, stolen credential storage accounts and proxy services masking North Korean and Chinese IP addresses.

In February 2021, the Justice Department announced that it had added Jon Chang Hyok and Kim Il to its list of indicted cybercriminals for their roles in some of the world’s most devastating cyber intrusions. Both are accused of working for Lazarus, orchestrating cyber-enabled financial crimes, stealing cryptocurrencies and laundering for the regime.

Jon specialized in developing and spreading malicious cryptocurrency applications to infiltrate exchanges and financial institutions, enabling large-scale theft. Kim was involved in distributing malware, coordinating crypto-related heists and orchestrating the fraudulent Marine Chain ICO.

How Lazarus Group’s greatest hit took place

Just weeks before the Bybit hack, North Korean leader Kim Jong Un inspected a nuclear material production facility, calling for an expansion of the country’s nuclear arsenal beyond current production plans, according to state media. 

On Feb. 15, the US, South Korea and Japan issued a joint statement reaffirming their commitment to North Korea’s denuclearization. Pyongyang swiftly dismissed the move as “absurd” on Feb. 18, vowing once again to bolster its nuclear forces.

Three days later, Lazarus struck again.

Within security circles, Lazarus’ fingerprints are often recognized almost immediately, even before official investigations confirm their involvement.

“I was able to confidently say, privately, within a few minutes of the ETH moving out of Bybit’s wallet, that this was related to the DPRK [Democratic People’s Republic of Korea] just due to them having such a unique fingerprint and TTP [tactics, techniques and procedures] onchain,” Fantasy, investigation lead at crypto insurance firm Fairside Network, told Cointelegraph.

“Splitting up ERC-20 assets across many wallets, immediately dumping the tokens in suboptimal ways, incurring huge fees [or] slippage, and then sending ETH in large, round amounts to fresh wallets.”

In the Bybit attack, the hackers orchestrated an elaborate phishing attack to breach Bybit’s security, tricking the exchange into authorizing the transfer of 401,000 Ether (ETH) ($1.4 billion) to wallets under their control. Disguising their operation behind a dummy version of Bybit’s wallet management system, the attackers gained direct access to the exchange’s assets, according to blockchain forensics firm Chainalysis.

Related: In pictures: Bybit’s record-breaking $1.4B hack

Once the funds were stolen, the laundering machine kicked in as the hackers scattered the assets across intermediary wallets. Investigators at Chainalysis report that portions of the stolen funds were converted into Bitcoin (BTC) and Dai (DAI), using decentralized exchanges, crosschain bridges and no-Know Your Customer swap services like eXch, a platform that has refused to freeze illicit funds linked to the Bybit exploit despite industry-wide intervention. EXch has denied laundering funds for North Korea.

A sizable chunk of the stolen assets remain parked across multiple addresses, a deliberate strategy often used by North Korea-affiliated hackers to outlast heightened scrutiny. 

Additionally, North Korean hackers often swap their stolen funds for Bitcoin, according to TRM Labs. Bitcoin’s unspent transaction output (UTXO) model further complicates tracking, making forensic analysis far more difficult than on Ethereum’s account-based system. The network is also home to mixing services frequented by Lazarus.

Lazarus Group’s social engineering side project

North Korean hackers have escalated their assault on the crypto industry, looting $1.34 billion across 47 attacks in 2024 — more than double the $660.5 million stolen in 2023, according to Chainalysis. 

The New York-based security firm adds that theft through private key compromises remains one of the biggest threats to the crypto ecosystem, accounting for 43.8% of all crypto hacks in 2024. This is the method employed in some of the largest breaches tied to North Korea’s Lazarus Group, such as the $305-million DMM Bitcoin attack and the $600-million Ronin hack. 

While these high-profile loots grab headlines, North Korean hackers have also mastered the long con — a strategy that provides a steady cash flow instead of relying on one-time windfalls.

“They target everyone, anything, for any amount of money. Lazarus, specifically, is focused on these large, complicated hacks like Bybit, Phemex and Alphapo, but they have smaller teams that do the low-value and more manually intensive work such as malicious [or] fake job interviews,” Fantasy said.

Microsoft Threat Intelligence has identified a North Korean threat group it calls “Sapphire Sleet” as a key player in cryptocurrency theft and corporate infiltration. The name “Sapphire Sleet” follows the tech company’s weather-themed taxonomy, with “sleet” marking ties to North Korea. Outside of Microsoft, the group is better known as Bluenoroff, a subgroup of Lazarus.

Masquerading as venture capitalists and recruiters, they lure victims into fake job interviews and investment scams, deploying malware to steal crypto wallets and financial data, netting over $10 million in six months.

Related: Security execs weigh in on ‘staggering’ scale of record Bybit hack

North Korea has also deployed thousands of IT workers across Russia, China and beyond, using AI-generated profiles and stolen identities to land high-paying tech jobs. Once inside, they steal intellectual property, extort employers, and funnel earnings to the regime. A leaked North Korean database uncovered by Microsoft exposed fake resumes, fraudulent accounts and payment records, revealing a sophisticated operation using AI-enhanced images, voice-changing software and identity theft to infiltrate global businesses.

In August 2024, ZachXBT exposed a network of 21 North Korean developers raking in $500,000 a month by embedding themselves in crypto startups.

In December 2024, a federal court in St. Louis unsealed indictments against 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft. 

These individuals worked for Yanbian Silverstar and Volasys Silverstar, North Korean-controlled companies operating in China and Russia, to dupe companies into hiring them for remote work. 

Over six years, these operatives earned at least $88 million, with some required to generate $10,000 per month for the regime. 

To date, North Korea’s cyberwarfare strategy remains one of the most sophisticated and lucrative operations in the world, allegedly funneling billions into the regime’s weapons program. Despite increasing scrutiny from law enforcement, intelligence agencies and blockchain investigators, Lazarus Group and its subunits continue to adapt, refining their tactics to evade detection and sustain their illicit revenue streams.

With record-breaking crypto thefts, deep infiltration of global tech firms and a growing network of IT operatives, North Korea’s cyber operations have become a perennial national security threat. The US government’s multi-agency crackdown, including federal indictments and millions in bounties, signals escalating efforts to disrupt Pyongyang’s financial pipeline. 

But as history has shown, Lazarus is relentless; the threats from North Korea’s cyber army are far from over.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis