State-sponsored hackers from North Korea, operating under the name Lazarus Group, have pilfered billions in cryptocurrency over a span of less than ten years, making the nation the fifth-largest holder of Bitcoin worldwide. A UN report indicates that almost half of the financing for North Korea’s nuclear program comes from these stolen crypto assets.
Recently, the Lazarus Group has garnered increased media attention. According to Arkham Intelligence, as of March 17, 2025, the group controls approximately $1.14 billion in Bitcoin. They’ve also converted stolen Ethereum into Bitcoin, with estimates showing that following the Bybit hack and subsequent money laundering, North Korea now possesses 13,518 BTC, positioning it behind the U.S., China, the UK, and Ukraine, but ahead of Bhutan and El Salvador in Bitcoin holdings.
On the same day, it was announced that OKX had to halt its DEX aggregator operations after consulting with authorities. Employees identified a coordinated attempt by the Lazarus Group to infiltrate the aggregator. On March 11, it was reported that EU authorities are investigating OKX’s web3 services concerning the Bybit hack and a related money-laundering scheme.
On March 10, 2025, the Socket Research Team disclosed that the Lazarus Group had compromised the npm ecosystem by introducing six malicious packages incorporating BeaverTail malware to steal credentials, harvest cryptocurrency data, invade developer environments, and conduct other harmful activities. These packages were designed to imitate the names of widely trusted libraries, with five more being uploaded to GitHub.
Earlier, on February 21, the North Korean hackers executed what has been deemed the largest heist to date, stealing an astonishing $1.4 billion in cryptocurrency from the Bybit exchange.
### Lazarus Group’s Operations
While little is known about the Lazarus Group, their cybercriminal activities trace back to 2009. This entity is categorized as an advanced persistent threat (also referred to as APT38) and poses a significant challenge to global cybersecurity, utilizing stolen funds to alleviate the dire economic conditions in North Korea brought on by international sanctions.
Initially, their focus was on major banking institutions. In 2017, during the notorious WannaCry ransomware attack, they demanded a Bitcoin ransom. That same year marked the group’s pivot to targeting the cryptocurrency sector, with initial hits on exchanges in the U.S. and South Korea.
In a series of operations throughout 2017, Lazarus successfully siphoned funds from platforms like Nicehash, Bithumb, and Youbit. In 2022, they were responsible for stealing $615 million from the Ronin Network. Notably, over 17% of all cryptocurrency thefts in 2023 were attributed to Lazarus hacks, with WarziX and Bybit being recent targets of significant exchange breaches.
What distinguishes the Lazarus Group is its backing by the North Korean government, a rarity compared to hackers elsewhere. The group’s victims include entities from the U.S., China, Russia, South Korea, Vietnam, Kuwait, and many additional countries.
The illegal actions of this group typically go unpunished in North Korea, where there appears to be governmental support. Given that internet access in North Korea is heavily regulated, it’s improbable that the group operates without official endorsement. Unlike Moscow, Pyongyang is less concerned with its global image, granting its hackers more freedom to undertake reckless activities. Reports suggest that these hackers receive training in China and at various institutions within North Korea.
Some attacks, like the 2017 WannaCry incident, seem less motivated by financial gain and more focused on inciting panic and disruption abroad. However, subsequent assaults on crypto platforms have been closely linked to significant monetary thefts, likely intended to shore up North Korea’s budgetary deficits.
The group comprises various subunits with specialized skills. According to a report from the NCC Group, these hackers work methodically, employing a broad array of tools and prioritizing stealth to remain undetected for as long as possible. The Lazarus Group predominantly relies on social engineering strategies and extensive phishing campaigns.
### Cryptocurrency and North Korea’s Nuclear Agenda
The UN report reveals that approximately half of North Korea’s foreign currency earnings stem from activities conducted by state-backed hackers. Allegedly, these funds help finance the development of ballistic missiles, with one anonymous source in the report indicating that 40% of the country’s weapons of mass destruction program is funded through cybercriminal proceeds.
North Korea continues to conduct tests on its ballistic missiles. In 2023, it launched the Hwasong18, a rocket engineered to carry multiple warheads over a distance exceeding 15,000 kilometers. The previous year witnessed a record number of around 90 rocket launches. The last test of a nuclear bomb occurred in 2017, and it’s estimated that the country possesses between 50 and 100 such weapons.
Last year, an American journalist published a book outlining the potential consequences if North Korea were to strike the U.S. with a nuclear weapon. Based on interviews with retired U.S. military officials familiar with nuclear protocols, the book discusses a scenario in which all nuclear-capable countries exchange strikes, leading humanity toward catastrophic consequences, including famine and nuclear winter.
Evidently, this catastrophic outcome was not the envisioned goal of Bitcoin’s creator. Unfortunately, holding the Lazarus Group members accountable has proven to be an incredibly difficult task, with only a handful of individuals facing charges over the years, while the total number of operatives may exceed a thousand, continually training new recruits.
Analysts note the cleverness with which North Korea conceals its operations and denies involvement in hacking. Advocates argue that while pursuing actual criminals is preferable, if that isn’t feasible, then prevention remains the best approach for combating these threats.
In practical terms, prevention might mean tightening the privacy and anonymity within decentralized finance and web3 frameworks to maintain better oversight over the assets controlled by hackers. Notably, an anonymous platform failed to act promptly on Bybit’s request to halt hackers from cashing out, allowing them to funnel $90 million in cryptocurrency before complying.
The ongoing focus on crypto indicates its utility for North Korea in generating funds. Their skilled hackers are adept at illegally securing vast sums through cryptocurrency theft. Experts overwhelmingly believe that the Lazarus Group will persist in their activities, presenting new challenges that necessitate advanced methods to strike a balance between maintaining privacy and preventing crime.