The North Korean Lazarus Group: The Biggest Crypto Hacks and Their Impact

The Lazarus Group, a North Korean state-backed cybercriminal organization, has become one of the most notorious hacking groups in history. Originally known for espionage and cyber sabotage, they have shifted focus to cryptocurrency theft since 2017, stealing over $3 billion from exchanges,   (DeFi) platforms, and blockchain-based applications.

Their most infamous attacks include the $625 million Axie Infinity hack in 2022, the $235 million WazirX breach in 2024, and the record-breaking $1.4 billion Bybit hack in 2025.

Despite U.S. sanctions and global crackdowns, the Lazarus Group remains one step ahead, constantly evolving their tactics to exploit security loopholes. This article explores their history, hacking methods, and the impact of their ongoing cyber attacks on the cryptocurrency industry.

Who is the Lazarus Group?

North Korea’s Elite Cybercriminal Unit

The Lazarus Group is a state-sponsored hacking collective controlled by North Korea’s Reconnaissance General Bureau (RGB). Also known as APT38 and Hidden Cobra, the group has been active since at least 2007, initially focusing on government espionage and cyber warfare.

They gained global attention after major cyberattacks, including:

  • The 2014 Sony Pictures hack, where they leaked confidential data and destroyed company servers.
  • The 2017 WannaCry ransomware attack, which infected over 230,000 computers across 150 countries.

By 2017, Lazarus shifted to cryptocurrency hacking, recognizing the potential to evade sanctions and finance North Korea’s weapons programs.

Lazarus Group’s Biggest Crypto Hacks

How Much Have They Stolen?

Lazarus has targeted both centralized exchanges (CeFi) and decentralized finance (DeFi) platforms, stealing funds through social engineering, smart contract exploits, and private key theft.

Notable Hacks by the Lazarus Group

  • 2016 Bangladesh Bank Heist – Stole $101 million using fraudulent SWIFT transactions.
  • 2017 Bithumb Hack – Targeted a South Korean exchange for $7 million.
  • 2018 Coincheck Hack – Stole $530 million from a Japanese exchange.
  • 2022 Axie Infinity Hack – Drained $625 million from the Ronin Network using a fake job phishing scam.
  • 2022 Harmony’s Horizon Bridge Hack – Exploited a cross-chain protocol to steal $100 million.
  • 2023 Stake.com Hack – Targeted a crypto casino, stealing $41 million.
  • 2024 WazirX Hack – Drained $235 million from the Indian crypto exchange.
  • 2025 Bybit Hack – Marked the largest crypto heist ever, with $1.4 billion stolen through a multisignature exploit.

These attacks have shaken the cryptocurrency industry, forcing exchanges and regulators to strengthen security measures.

How Does the Lazarus Group Hack Crypto Platforms?

Social Engineering & Phishing Attacks

The Lazarus Group relies heavily on human error. Some of their most successful attacks start with spear-phishing emails or fake job offers.

  • In the 2022 Axie Infinity hack, Lazarus operatives posed as recruiters on LinkedIn, tricking an employee into downloading malware.
  • In the 2023 CoinsPaid hack, hackers spent six months pretending to be job interviewers before infiltrating the company’s internal systems.

Once they gain access, they steal private keys and compromise transaction approvals.

Smart Contract Exploits & Blockchain Vulnerabilities

Lazarus also targets weaknesses in smart contracts, especially in DeFi protocols and cross-chain bridges.

  • The Harmony Horizon hack (2022) and Poly Network hack (2021) were both cross-chain bridge attacks, allowing them to move funds between blockchains without detection.
  • Many of their 2023–2024 attacks targeted DeFi wallets and infrastructure, showing a shift from centralized exchange hacks to DeFi vulnerabilities.

Money Laundering Techniques

After stealing funds, Lazarus launders them through crypto mixers like Tornado Cash and Sinbad and uses cross-chain transfers to obscure the money trail.

  • In 2023, they used Sinbad.io to launder funds from the Atomic Wallet hack ($100 million).
  • The Bybit hack (2025) involved complex bridge transfers, making it difficult for authorities to track the stolen assets.

Despite sanctions and increased scrutiny, the group continues to evolve its laundering methods, using decentralized finance and illicit OTC trading networks.

The North Korean Lazarus Group

The Bybit Hack (2025): Lazarus Group’s Biggest Heist Yet

On February 21, 2025, Lazarus hacked Bybit’s Ethereum cold wallet, stealing $1.4 billion in crypto.

How Did They Do It?

  • Used a “masked transaction exploit” to trick Bybit’s security system.
  • Manipulated multisignature approvals, allowing them to authorize fraudulent transfers.
  • Quickly laundered the funds through DEXs, converting them into other assets to avoid detection.

Industry Response

Bybit’s CEO, Ben Zhou, assured users that the exchange remains solvent, covering losses without affecting customer funds. However, trust in centralized exchanges has once again been shaken, with many traders moving assets to self-custody wallets.

Final Thoughts

The Lazarus Group remains the most dangerous cybercriminal organization in the crypto space, with billions stolen and no signs of slowing down.

Key Takeaways

  • Crypto exchanges and DeFi projects remain high-risk targets.
  • Lazarus constantly evolves its hacking techniques, making them difficult to stop.
  • Stronger security measures, regulatory action, and improved user awareness are critical.

As the industry continues to grow, the battle between cybercriminals and security experts will only intensify. For now, traders and investors must stay vigilant and prioritize self-custody for their assets.

More Insights

For more insights and detailed guides on blockchain applications, visit our Blockchain Technology Guides.

Special Offer

Sign up on Bybit today to receive up to $30,000 in deposit bonuses.

Bybit Deposit Bonus
bybit side banner