Cyber warfare activities emanating from North Korea directed at the cryptocurrency sector are becoming increasingly advanced, both in terms of execution and the number of groups engaging in such illicit operations, as highlighted in a recent report.
These North Korean cyber incursions encompass a variety of tactics—ranging from direct assaults on cryptocurrency exchanges and attempts at social engineering to phishing schemes and intricate supply chain infiltrations. In some instances, the planning and execution phase can extend over the course of a year, showcasing the operatives’ patience and strategic foresight.
The United Nations has projected that North Korean hackers have amassed around $3 billion from cyber activities between 2017 and 2023. This sum has surged in 2024 and into the current year, particularly following successful operations against cryptocurrency platforms WazirX and Bybit, yielding attackers approximately $1.7 billion.
The report notes that a minimum of five North Korean organizations are behind these cyber assaults: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. Additionally, there exists a collective of North Korean agents masquerading as IT professionals, who manage to infiltrate technology companies globally.
Relevant: Understanding typosquatting in cryptocurrency: How hackers exploit minor errors
Notorious attacks and systematic laundering strategies
Lazarus Group, recognized as the most prominent North Korean hacking entity, is credited with several high-profile cyber breaches since 2016. The report attributes attacks against Sony and the Bank of Bangladesh to them in 2016, along with their involvement in the WannaCry 2.0 ransomware incident in 2017.
The group has also targeted the cryptocurrency space with notable success. In 2017, they compromised two cryptocurrency exchanges, Youbit and Bithumb. In 2022, their exploitation of the Ronin Bridge led to the loss of hundreds of millions in assets. The group notoriously pilfered $1.5 billion from Bybit in 2025, creating a significant stir within the cryptosphere. They might also have ties to certain Solana memecoin scams.
As outlined by Chainalysis and other investigative bodies, Lazarus Group has established money laundering techniques following their heists. They fragment the total stolen amount into smaller components, distributing them across numerous wallets. They then convert lesser-known coins to more liquid ones and ultimately change a large portion of their loot into Bitcoin. Following this, the group may hold onto the illicit gains for an extended period, allowing law enforcement scrutiny to wane.
The FBI has identified three alleged members of the Lazarus Group, charging them with various cyber-related offenses. In February 2021, the U.S. Justice Department filed indictments against two of these individuals for their roles in international cybercrime operations.
Featured Article: Analysis of Lazarus Group’s preferred exploitation techniques in cryptocurrency hacks