lazarus-group

Lazarus Group

also known as: Hidden Cobra ZINC Diamond Sleet Guardians of Peace TraderTraitor APT38 Labyrinth Chollima NICKEL ACADEMY

North Korea's premier cyber warfare unit, operating under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Lazarus Group has been active since at least 2009 and has evolved from conducting politically motivated destructive attacks into the world's most prolific state-sponsored financial cybercrime operation. The group has stolen an estimated $6 billion+ in cryptocurrency since 2017, culminating in the $1.5 billion Bybit heist in February 2025 — the largest single cryptocurrency theft in history. The stolen funds directly finance North Korea's nuclear weapons and ballistic missile programs, making Lazarus Group a unique hybrid of state intelligence apparatus and organized financial crime syndicate.

attributed originNorth Korea (DPRK)

sponsorReconnaissance General Bureau (RGB)

first observed~2009

primary motivationFinancial (state-directed) + Espionage + Disruption

primary targetsCryptocurrency, Finance, Defense, Critical Infrastructure

estimated theft$6B+ in crypto since 2017

mitre att&ck groupG0032

target regionsGlobal — USA, South Korea, Japan, Europe, worldwide

threat levelCRITICAL

Overview

Lazarus Group is not a single threat actor but an umbrella term for multiple operational clusters operating under North Korea's Reconnaissance General Bureau. Mandiant's 2024 assessment identified at least six distinct sub-groups under the RGB, each with its own specialization: Alluring Pisces (APT38/Bluenoroff) targets financial institutions; Gleaming Pisces (Citrine Sleet) focuses on cryptocurrency platforms; and other clusters conduct espionage, destructive operations, and the increasingly significant IT worker infiltration scheme. These groups share infrastructure, tools, and intelligence, but operate with distinct tradecraft and targeting profiles.

What makes Lazarus fundamentally different from other state-sponsored threat actors is its financial mission. While Russian, Chinese, and Iranian APTs primarily conduct espionage, Lazarus Group's core function is generating revenue for the North Korean regime. A 2024 United Nations report documented 58 suspected cyberattacks on cryptocurrency-related companies between 2017 and 2023 valued at approximately $3 billion. The regime has effectively industrialized cryptocurrency theft as a primary revenue stream, circumventing international sanctions that have crippled its traditional economy. As TRM Labs has stated: "Lazarus Group is not state-sponsored in the traditional way. Lazarus Group is North Korea and North Korea is Lazarus Group."

The February 2025 Bybit heist demonstrated the current peak of this capability. In approximately 30 minutes, the group drained $1.5 billion in Ethereum from Bybit's cold storage through a supply chain attack on Safe{Wallet}'s development environment. Within 48 hours, over $160 million had been laundered through thousands of blockchain addresses. By March 2025, 86% of the stolen ETH had been converted to Bitcoin and dispersed. The FBI confirmed attribution and released 51 Ethereum addresses used in laundering, but recovery of the funds remains unlikely. The Bybit heist alone represented roughly one-third of all cryptocurrency stolen globally in 2025.

Beyond financial crime, Lazarus maintains capabilities for espionage, sabotage, and destructive attacks. The group was responsible for the 2014 Sony Pictures breach (destruction of 70% of corporate laptops), the 2016 Bangladesh Bank SWIFT heist ($81 million stolen), and the 2017 WannaCry ransomware outbreak that infected over 200,000 systems across 150 countries. In 2025, researchers discovered evidence suggesting possible infrastructure sharing between Lazarus and Russia's Gamaredon group — the first known case of Russian-North Korean operational cyber collaboration, reflecting the deepening geopolitical alliance between Moscow and Pyongyang.

critical

North Korean operatives are now being hired as remote IT workers inside real companies using stolen identities, gaining trusted network access, steady income, and the option to pivot into espionage, data theft, or follow-on attacks. This shift from "breaking in" to "being hired in" represents a fundamental evolution in DPRK cyber strategy that requires identity verification controls beyond traditional perimeter defenses.

Target Profile

Lazarus Group's targeting reflects its dual mission: revenue generation and strategic intelligence collection for the North Korean regime.

Cryptocurrency exchanges and DeFi platforms: The primary revenue-generating target. Confirmed thefts include Bybit ($1.5B, 2025), Ronin/Axie Infinity ($625M, 2022), WazirX ($235M, 2024), Atomic Wallet ($100M, 2023), Stake.com ($41M, 2023), and dozens of other platforms. The group targets both centralized exchanges and decentralized finance protocols, adapting its techniques to each architecture.
Financial institutions and SWIFT networks: The Bangladesh Bank heist ($81M, 2016) exploited the SWIFT interbank messaging system. The group has targeted banks across Southeast Asia, Africa, and Latin America.
Defense contractors and government agencies: Operation Dream Job and Operation North Star targeted defense and aerospace companies through fake job recruitment campaigns. South Korean government agencies and military organizations are persistent targets.
Technology and software supply chains: The 3CX supply chain compromise (2023) and the Bybit heist (via Safe{Wallet} developer compromise) demonstrate the group's capability to infiltrate software vendors and poison trusted update mechanisms.
Healthcare: HHS warned in 2023 that Lazarus was actively targeting the U.S. healthcare sector. Healthcare data and ransomware payments provide additional revenue streams.
IT worker infiltration: North Korean operatives use stolen identities to secure remote IT positions at Western companies, gaining both income and insider access. This has expanded from a handful of cases to a systematic program affecting companies across technology, finance, and other sectors.

Tactics, Techniques & Procedures

mitre id	technique	description
T1195.002	Supply Chain Compromise	Core capability. Compromised 3CX software supply chain (2023) and Safe{Wallet} development environment (2025 Bybit heist). Injects malicious code into trusted software updates and development pipelines.
T1566.003	Spearphishing via Service	Operation Dream Job and DEV#POPPER campaigns use fake job offers on LinkedIn and professional networks, luring targets into downloading malicious attachments disguised as job descriptions, coding tests, or interview materials.
T1059	Command and Scripting Interpreter	Extensive use of custom malware across Windows, macOS, and Linux: MagicRAT, QuiteRAT, LPEclient, InvisibleFerret, OdicLoader, Comebacker, and dozens of others. Modular architecture allows rapid capability scaling.
T1071	Application Layer Protocol	Uses legitimate services for C2 including social media platforms, cloud storage, and messaging apps. The Telegram channels and Telegraph publishing platform are used for coordination and misdirection.
T1657	Financial Theft	Primary operational objective. Cryptocurrency theft via smart contract manipulation, SWIFT system exploitation, and exchange compromise. Stolen funds laundered through mixers, DEXs, cross-chain bridges, and thousands of intermediary wallets.
T1561	Disk Wipe	Maintains destructive capability. Malware families KILLMBR, QDDOS, and DESTOVER designed to render systems inoperable after data theft. Used in the Sony Pictures attack (2014) and South Korean campaigns.
T1189	Drive-by Compromise	SyncHole campaign (2024-2025) against South Korea combined watering hole attacks with zero-day exploitation of mandatory financial software. Targets specific to the South Korean technology ecosystem.
T1078	Valid Accounts	IT worker infiltration scheme uses stolen identities to obtain legitimate employment credentials at Western companies, providing authorized access to internal networks and systems without any exploitation required.

Known Campaigns

Bybit Cryptocurrency HeistFebruary 2025

The largest cryptocurrency theft in history. Supply chain attack on the Safe{Wallet} multi-signature platform used by Bybit. Compromised a developer machine through social engineering, injected malicious JavaScript via the official domain app.safe.global, and manipulated a routine cold-to-hot wallet transfer. 500,000 ETH ($1.5B) drained in approximately 30 minutes. FBI confirmed attribution and released 51 Ethereum addresses. Over 86% of stolen ETH converted to Bitcoin within one month.

WannaCry RansomwareMay 2017

Global ransomware outbreak leveraging the EternalBlue exploit (stolen from NSA) that infected over 200,000 systems across 150 countries. Hit the UK's National Health Service, shutting down hospitals and diverting ambulances. Caused an estimated $4-8 billion in global damages. Led to DOJ indictments and formal attribution to North Korea by the US, UK, Australia, Canada, New Zealand, and Japan.

Sony Pictures Entertainment AttackNovember 2014

Destructive attack motivated by the film "The Interview." Destroyed 70% of Sony's corporate laptops, leaked unreleased films, executive emails, and employee personal data. Resulted in US sanctions against North Korea and the first formal cyber attribution by the Obama administration to a nation-state.

Bangladesh Bank SWIFT HeistFebruary 2016

Exploited the SWIFT interbank messaging system to submit 35 fraudulent transfer requests totaling $951 million from Bangladesh Bank's account at the Federal Reserve Bank of New York. $81 million successfully transferred before a spelling error in a transfer request raised flags. Demonstrated that nation-state actors could compromise the global financial messaging infrastructure.

3CX Supply Chain CompromiseMarch 2023

Compromised the 3CX business communications software used by over 600,000 organizations. Trojanized installers distributed through the legitimate update mechanism. Represented a supply-chain-within-a-supply-chain attack: Lazarus first compromised a financial software provider (Trading Technologies), then used that access to attack 3CX.

SyncHole Campaign2024–2025

Targeted campaign against South Korea combining watering hole attacks with zero-day exploitation of mandatory financial software used in the country. Demonstrated modularity, stealth, and speed in an operation specifically tailored to the South Korean technology environment.

Tools & Malware

Lazarus Group maintains one of the largest custom malware arsenals of any threat actor, spanning Windows, macOS, and Linux.

MagicRAT / QuiteRAT: Remote access trojans providing persistent backdoor access. QuiteRAT is a newer, lighter variant designed to evade detection that emerged in 2023 campaigns.
InvisibleFerret: Multi-platform malware used in the ContagiousInterview campaign targeting job seekers. Distributed through fake recruitment processes. Linked to the possible Gamaredon-Lazarus infrastructure overlap discovered in July 2025.
OdicLoader: Linux downloader that masquerades as a PDF file using Unicode character substitution, causing graphical file managers to execute the ELF binary when double-clicked instead of opening a PDF viewer.
AppleJeus: macOS and Windows malware distributed through fake cryptocurrency trading applications. Multiple variants targeting the cryptocurrency industry since 2018.
DESTOVER / KILLMBR / QDDOS: Destructive malware designed to wipe disk data and render systems inoperable. Used in the Sony Pictures attack and South Korean infrastructure campaigns.
LPEclient: Privilege escalation tool used across multiple campaigns to gain elevated access on compromised systems.
Comebacker: Malware originally used to target security researchers in 2020, later distributed as malicious packages on PyPI, demonstrating the group's willingness to target the security research community itself.
Custom SWIFT manipulation tools: Specialized tools for interacting with the SWIFT interbank messaging system, used in the Bangladesh Bank heist and related financial institution targeting.

Mitigation & Defense

Defending against Lazarus Group requires a layered approach addressing social engineering, supply chain integrity, and cryptocurrency-specific controls.

Verify remote employee identities: The IT worker infiltration scheme means traditional perimeter defenses are insufficient. Implement rigorous identity verification for remote hires including video-verified interviews, background checks that go beyond document verification, and ongoing access monitoring for remote workers.
Software supply chain integrity: Verify code signing certificates and validate software updates through independent hash verification. The 3CX and Bybit attacks demonstrate that Lazarus targets trusted software pipelines. Isolate build environments and implement reproducible builds where possible.
Cryptocurrency security: For organizations handling digital assets: use hardware security modules for key management, implement time-delayed withdrawals for large transfers, verify transaction details independently of the signing interface (the Bybit attack worked because signers couldn't see the real transaction), and maintain cold storage that is genuinely air-gapped.
Social engineering resilience: Train staff to recognize fake job offers, particularly on LinkedIn and professional networks. Lazarus invests significant effort in making recruitment lures appear legitimate. Verify recruiter identities through company directories before downloading any materials.
SWIFT and financial messaging security: Financial institutions should implement the SWIFT Customer Security Programme controls, restrict SWIFT operator access, and monitor for anomalous transaction patterns outside business hours.
Cross-platform endpoint protection: Lazarus targets Windows, macOS, and Linux. Ensure security monitoring and EDR coverage spans all three operating systems, including development workstations that may be running macOS or Linux.

analyst note

Lazarus Group will continue these cyberattacks as long as they remain profitable and international sanctions remain in place. The regime has no economic incentive to stop. The $1.5 billion Bybit heist demonstrated that even multi-signature cold wallet architectures with institutional-grade security can be defeated through patient supply chain attacks targeting the human and software layers. The July 2025 discovery of possible infrastructure sharing between Lazarus and Russia's Gamaredon group — if confirmed — would represent the first known case of Russian-North Korean operational cyber collaboration, potentially combining Lazarus's financial expertise with Gamaredon's espionage capabilities. This reflects the broader Moscow-Pyongyang alliance that has already extended to conventional military cooperation in Ukraine.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile