Skip to main content
Sign in

Lazarus Group

avoid.net/lazarus-group0/100·97% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:zachxbt]

Summary

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor subordinate to the Reconnaissance General Bureau (RGB), the principal intelligence directorate of the Democratic People's Republic of Korea (DPRK). Active since at least 2007, the group has been responsible for some of the largest cryptocurrency thefts in history, with cumulative estimates of stolen digital assets ranging from $3.4 billion to over $6.75 billion across all-time operations. The group and two affiliated sub-clusters — Bluenoroff and Andariel — are designated on the U.S. Treasury OFAC Specially Designated Nationals (SDN) list, and multiple individual members have been federally indicted.

Have evidence about Lazarus Group?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Identity and State Sponsorship

Lazarus Group was created by the North Korean government no later than 2007 and is subordinate to the 110th Research Center, 3rd Bureau of the Reconnaissance General Bureau (RGB), which oversees North Korea's offensive cyber operations. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) designated Lazarus Group, Bluenoroff, and Andariel on September 13, 2019, under Executive Order 13722, identifying them as agencies, instrumentalities, or controlled entities of the Government of North Korea. Bluenoroff was formed specifically to generate revenue illicitly in response to international sanctions, conducting cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to fund its nuclear weapons and ballistic missile programs. Andariel is a separate operational cluster focused on critical infrastructure attacks. The group is also tracked by the cybersecurity industry under aliases including APT38, Hidden Cobra, ZINC, Jade Sleet, Slow Pisces, UNC4899, and — for its cryptocurrency-focused subcluster — TraderTraitor.

Sources

DOJ Indictments and Legal Actions

The U.S. Department of Justice has brought federal charges against multiple alleged members of Lazarus Group. In September 2018, the DOJ charged Park Jin Hyok, a North Korean national working for government front company Korea Expo Joint Venture (KEJV), with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud, in connection with the 2014 Sony Pictures Entertainment hack, the 2016 Bangladesh Bank SWIFT heist, and the 2017 WannaCry ransomware attack. In February 2021, the DOJ expanded the indictment to include two additional defendants, Jon Chang Hyok and Kim Il, broadening the scope of alleged crimes to include cryptocurrency exchange thefts and the creation of malicious cryptocurrency applications. The DOJ's Office of Public Affairs formally identified these individuals as members of the Reconnaissance General Bureau, the primary intelligence agency of the North Korean government.

Sources

Bybit Hack — February 2025 ($1.46–$1.5 Billion)

On February 21, 2025, Lazarus Group (acting under the TraderTraitor cluster designation) executed the largest single cryptocurrency theft in history, stealing approximately $1.46–$1.5 billion USD from Dubai-based exchange Bybit. The FBI formally attributed the attack to North Korean TraderTraitor actors in a Public Service Announcement issued on February 26, 2025 (IC3 PSA250226). The attack was a sophisticated supply chain compromise targeting Safe{Wallet}, the multi-signature smart contract wallet platform used by Bybit. Attackers compromised a Safe{Wallet} developer's workstation through social engineering, stole AWS session tokens to access Safe{Wallet}'s cloud infrastructure, and injected malicious JavaScript code into the app.safe.global front-end on February 19, 2025 at 15:29 UTC. The malicious code specifically targeted Bybit's Ethereum multisig cold wallet and activated on the next scheduled transaction, which occurred on February 21, 2025 at 14:13 UTC. By altering the transaction signing interface, the code caused Bybit's authorized signers to unknowingly approve a fraudulent transaction — effectively producing 'blind signatures.' Approximately 401,000 ETH was drained and rapidly dispersed across thousands of blockchain addresses and converted to Bitcoin and other assets. The FBI published 51 Ethereum addresses associated with the laundering activity and urged cryptocurrency service providers to block related transactions. Pre-attack infrastructure registration of bybit-assessment.com was identified by Silent Push as having occurred at 22:21 UTC on February 20, 2025, using an email address previously linked to the Lazarus-associated 'Contagious Interview' campaign.

Sources

Ronin Bridge Hack — March 2022 ($625 Million)

On March 23, 2022, Lazarus Group drained 173,600 ETH and 25.5 million USDC from the Ronin Network bridge, a sidechain supporting the play-to-earn game Axie Infinity, operated by Sky Mavis. The total stolen was valued at approximately $625 million at the time of the theft. The attackers obtained five of the nine private validator keys required to authorize withdrawals from the Ronin bridge, enabling them to submit two fraudulent withdrawal transactions. The breach was not discovered until six days later, on March 29, 2022. The U.S. Treasury Department attributed the attack to Lazarus Group and updated the group's SDN designation with the Ronin-associated Ethereum address on April 14, 2022. The FBI and OFAC subsequently worked with cryptocurrency exchanges to seize approximately $30 million of the stolen funds.

Sources

Harmony Horizon Bridge Hack — June 2022 ($100 Million)

On June 24, 2022, attackers exploited the Harmony Horizon cross-chain bridge, stealing approximately $99.7 million in cryptocurrency. The FBI confirmed Lazarus Group's responsibility in a press release dated January 24, 2023. The attack vector involved compromising the encryption keys of a multi-signature wallet through a social-engineering campaign targeting Harmony employees, allowing attackers to assume control of the MultiSigWallet contract and execute large unauthorized token transfers. In January 2023, the FBI observed Lazarus Group attempting to launder over $60 million of the stolen ETH through the RAILGUN privacy protocol, subsequently converting portions to Bitcoin. The FBI, working with virtual asset service providers, seized an undisclosed portion of the funds.

Sources

Atomic Wallet Hack — June 2023 (~$100 Million)

On June 3, 2023, users of the self-custody Atomic Wallet application reported widespread unauthorized fund drains. Blockchain analytics firm Elliptic attributed the theft to Lazarus Group on June 6, 2023, based on on-chain patterns consistent with prior Lazarus operations. Total losses were subsequently estimated at over $100 million across approximately 5,500 compromised wallets. The FBI issued warnings in August 2023 that North Korean hackers were preparing to cash out approximately $40 million in stolen cryptocurrency held across six Bitcoin wallets, and published a separate advisory identifying cryptocurrency funds stolen by DPRK-affiliated actors in the broader summer 2023 campaign. Lazarus Group conducted four attacks against crypto entities in the period following the Atomic Wallet heist — CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million) — totaling approximately $240 million.

Sources

WazirX Hack — July 2024 ($235 Million)

In July 2024, India's largest cryptocurrency exchange WazirX suffered a security breach resulting in the theft of approximately $234.9 million in digital assets — representing roughly 45% of the exchange's total crypto holdings — from a multi-signature wallet held under a third-party custody arrangement with Liminal Custody. On January 14, 2025, the governments of the United States, Japan, and South Korea issued a joint statement formally attributing the hack to North Korea's Lazarus Group and identifying it as part of a broader pattern of DPRK-linked cyber theft operations that stole over $659 million in cryptocurrency across 2024. The attack involved social engineering, phishing, and API exploitation techniques. The attackers allegedly created a fake WazirX account, deposited tokens to build apparent legitimacy, and then conducted multi-stage wallet drains progressing from hot to cold wallets.

Sources

OFAC Sanctions and Regulatory Designations

The U.S. Treasury's OFAC first designated Lazarus Group on April 3, 2018 (as 'Lazarus Group' under North Korea Sanctions Regulations), and expanded sanctions on September 13, 2019, to cover the Bluenoroff and Andariel sub-clusters. OFAC subsequently updated the Lazarus Group SDN entry on April 14, 2022, to include the Ethereum address used in the Ronin Bridge hack. On March 2, 2020, Treasury sanctioned two Chinese nationals alleged to have laundered over $100 million in cryptocurrency on behalf of Lazarus Group. In May 2022, OFAC designated the Blender.io virtual currency mixer — the first-ever U.S. sanctions action against a cryptocurrency mixer — citing its role in laundering proceeds from the Ronin Bridge hack. On March 12, 2026, OFAC sanctioned six additional individuals and two entities for their roles in North Korean government-orchestrated IT worker fraud schemes supporting the RGB and Lazarus Group operations.

Sources

Tactics, Techniques, and Procedures (TTPs)

Lazarus Group employs a layered set of offensive cyber capabilities spanning social engineering, supply chain compromise, spear-phishing, and custom malware deployment. The TraderTraitor sub-cluster specializes in cryptocurrency exchange targeting and is characterized by simultaneous multi-employee social engineering to achieve initial access. Documented attack vectors include: (1) Operation Dream Job / fake recruiter campaigns distributing trojanized coding challenges via GitHub to developers at crypto firms; (2) Supply chain attacks targeting wallet infrastructure providers, as demonstrated by the Safe{Wallet} compromise in the Bybit heist; (3) Deployment of custom malware families including RN Loader, RN Stealer (harvesting SSH keys, credentials, cloud configs), and TraderTraitor-branded malicious applications; (4) Session token theft to pivot from developer workstations into cloud infrastructure (AWS S3, CloudFront); (5) Front-end JavaScript injection to manipulate transaction signing interfaces and induce authorized signers to approve fraudulent transactions. Post-theft laundering typically involves rapid conversion through mixing services, cross-chain bridges, and peer-to-peer exchangers, dispersing funds across thousands of addresses to complicate tracing. The group has also extensively used Tornado Cash, RAILGUN, and the now-sanctioned Blender.io mixer.

Sources

Historical Non-Crypto Operations

Prior to focusing predominantly on cryptocurrency theft, Lazarus Group conducted a series of high-profile cyberattacks. The 2014 Sony Pictures Entertainment hack, attributed by the FBI, involved the destruction of data, release of sensitive internal communications, and an extortion demand related to the film 'The Interview.' In February 2016, the group exploited the SWIFT interbank messaging network to fraudulently transfer $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York to accounts in the Philippines; the full $1 billion attempt was partially foiled by a spelling error in one transfer request. In May 2017, Lazarus Group deployed the WannaCry 2.0 ransomware worm, which infected an estimated 200,000 computers across 150 countries, causing billions of dollars in damages globally and severely impacting the UK's National Health Service.

Sources

UN Panel Reports and Strategic Context

A United Nations Panel of Experts estimated in 2024 that illicit North Korean cyber activity — predominantly cryptocurrency theft — accounts for approximately 40% of the funding for Pyongyang's weapons of mass destruction programs. The panel further estimated that North Korea had stolen more than $3 billion in cryptocurrency since 2017. In 2024, Chainalysis reported that DPRK-linked hacking groups stole $1.3 billion across 47 incidents, more than doubling the $660 million stolen in 2023. According to The Hacker News, DPRK-linked actors stole $2.02 billion in 2025 alone — a 51% increase year-over-year — representing approximately 60% of all global crypto theft that year. Cumulative all-time estimates of Lazarus Group's cryptocurrency theft range from approximately $3.4 billion (conservative, Lazarus Group alone since 2007) to over $6.75 billion (inclusive of all DPRK-affiliated actors across all platforms). Cryptocurrency theft is understood to provide the DPRK regime with hard currency to circumvent international sanctions imposed over its nuclear weapons and ballistic missile programs.

Sources

2026 Activity — Alleged KelpDAO / LayerZero Theft

In April 2026, media reports indicated that North Korean hackers, alleged to be affiliated with Lazarus Group, were tied to a $290 million cryptocurrency theft involving KelpDAO and LayerZero-related infrastructure. Attribution at time of reporting remained at the investigative stage by private blockchain analytics firms, without formal FBI or OFAC confirmation. This alleged incident was characterized as the latest in a continuing escalation of DPRK-linked cryptocurrency theft.

Sources

Timeline

2007-01-01

Lazarus Group established by the North Korean government under the RGB's 110th Research Center, according to OFAC designation documents.

U.S. Department of the Treasury OFAC — Press Release SM774

2014-11-24

Sony Pictures Entertainment hack: Lazarus Group destroys data, leaks internal communications, and issues extortion demands linked to the film 'The Interview.'

DOJ / Washington Post

2016-02-04

Bangladesh Bank SWIFT heist: $81 million fraudulently transferred from Bangladesh Bank's New York Federal Reserve account; full $1 billion attempt partially blocked.

Bangladesh Bank Robbery — Wikipedia

2017-05-12

WannaCry 2.0 ransomware attack launched globally, attributed to Lazarus Group by the FBI and allied intelligence agencies; approximately 200,000 computers in 150 countries affected.

DOJ Press Release

2018-04-03

OFAC first designates Lazarus Group on the SDN list under North Korea Sanctions Regulations.

OFAC Sanctions Search

2018-09-06

DOJ charges North Korean national Park Jin Hyok in connection with the Sony hack, Bangladesh Bank SWIFT theft, and WannaCry ransomware attack.

DOJ Office of Public Affairs

2019-09-13

OFAC sanctions Lazarus Group, Bluenoroff, and Andariel under Executive Order 13722, identifying all three as agencies or instrumentalities of the DPRK government.

U.S. Department of the Treasury — SM774

2020-03-02

Treasury sanctions two Chinese nationals for laundering over $100 million in cryptocurrency on behalf of Lazarus Group.

U.S. Department of the Treasury — SM924

2021-02-17

DOJ expands North Korea indictment to three defendants — Park Jin Hyok, Jon Chang Hyok, Kim Il — broadening charges to include cryptocurrency exchange thefts.

Deadline / DOJ

2022-03-23

Ronin Bridge hack: Lazarus Group steals 173,600 ETH and 25.5 million USDC (~$625 million) from the Axie Infinity sidechain by compromising five of nine validator keys.

CoinDesk

2022-04-14

U.S. Treasury attributes Ronin Bridge hack to Lazarus Group and updates group's SDN listing with associated Ethereum address.

CoinDesk / CyberScoop

2022-05-06

OFAC designates Blender.io cryptocurrency mixer — the first-ever U.S. sanctions on a virtual currency mixer — citing its use to launder Ronin Bridge hack proceeds.

U.S. Department of the Treasury

2022-06-24

Harmony Horizon Bridge hack: Approximately $99.7 million stolen via compromise of multi-signature wallet keys; later confirmed by FBI as Lazarus Group operation.

FBI.gov

2023-01-24

FBI formally confirms Lazarus Group responsible for the June 2022 Harmony Horizon Bridge theft.

FBI.gov

2023-06-03

Atomic Wallet hack: Over $100 million drained from approximately 5,500 user wallets; Elliptic attributes the theft to Lazarus Group on June 6, 2023.

Decrypt

2023-09-04

FBI identifies Lazarus Group as responsible for the $41 million Stake.com theft, part of a broader multi-platform campaign totaling ~$240 million in summer 2023.

FBI.gov

2024-07-01

WazirX hack: Approximately $234.9 million stolen from India's largest cryptocurrency exchange via a compromised multi-signature wallet held with Liminal Custody.

Elliptic

2025-01-14

Joint statement by the United States, Japan, and South Korea formally attributes WazirX hack and other 2024 thefts totaling over $659 million to North Korea's Lazarus Group.

TechCrunch

2025-02-21

Bybit hack: TraderTraitor (Lazarus sub-cluster) steals approximately $1.46–$1.5 billion in ETH from Bybit via a Safe{Wallet} supply chain attack — the largest single cryptocurrency theft in history.

FBI IC3 PSA250226

2025-02-26

FBI issues Public Service Announcement PSA250226 formally attributing the Bybit hack to North Korean TraderTraitor actors and publishing 51 Ethereum addresses associated with the laundering.

FBI IC3

2026-03-12

OFAC sanctions six individuals and two entities for roles in North Korean IT worker fraud schemes supporting Lazarus Group operations.

U.S. Department of the Treasury

2026-04-22

Media reports allege North Korean Lazarus Group hackers tied to a $290 million theft involving KelpDAO and LayerZero infrastructure; formal attribution pending.

UPI

Research Gaps

3 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [high]
    no regulatory

    No regulatory or sanctions cross-check. Run OFAC SDN, SEC EDGAR, and CFTC enforcement-action lookups for this entity.

  • [med]
    single source

    Only one source has reported on this entity. Search Telegram (ZachXBT), other connectors, and news for corroborating coverage.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

Provenance
src:zachxbt

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-code-investigator

generated: 5/4/2026, 4:04:56 PM

last updated: 5/8/2026, 2:42:01 AM

avoid.net — verified advice for a post-truth world