Verify a decision

{"actor":"system:backfill","investigation_id":"aa55ae7b-c8d6-467e-99e5-abe558bde7eb","kind":"publish","page_slug":"dprk","published_at":"2026-05-18T23:18:06.670Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"DPRK","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.","timeline":[{"date":"2018-01-01","event":"Lazarus Group designated on OFAC Specially Designated Nationals List under North Korea Sanctions Regulations","source":"","source_url":"https://home.treasury.gov/news/press-releases/sm924"},{"date":"2022-03-23","event":"Ronin Network (Axie Infinity) bridge hacked; 173,600 ETH and 25.5M USDC stolen (~$625M). Attack later attributed to Lazarus Group by U.S. Treasury","source":"","source_url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"date":"2022-04-14","event":"U.S. Treasury (OFAC) sanctions Lazarus Group Ethereum wallet linked to Ronin Bridge hack; FBI and OFAC jointly attribute attack to DPRK","source":"","source_url":"https://cyberscoop.com/ronin-bridge-hack-lazarus-group-north-korea-treasury-sanctions/"},{"date":"2022-04-22","event":"CISA, FBI, and U.S. Treasury issue joint advisory AA22-108A on TraderTraitor, warning blockchain companies of DPRK targeting","source":"","source_url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"},{"date":"2022-05-06","event":"OFAC issues first-ever sanctions on a virtual currency mixer — Blender.io — for processing over $20.5M in Ronin hack proceeds","source":"","source_url":"https://home.treasury.gov/news/press-releases/jy0768"},{"date":"2022-06-24","event":"Harmony Horizon Bridge hacked; $100M in crypto assets stolen. FBI later confirms Lazarus Group responsible","source":"","source_url":"https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft"},{"date":"2023-01-13","event":"North Korean actors use RAILGUN protocol to launder over $60M in ETH from Harmony Horizon Bridge hack; funds also routed through Tornado Cash","source":"","source_url":"https://www.bleepingcomputer.com/news/security/fbi-north-korean-hackers-stole-100-million-in-harmony-crypto-hack/"},{"date":"2023-06-01","event":"Atomic Wallet breached; over $100M stolen from users. Blockchain analytics firms attribute attack to Lazarus Group","source":"","source_url":"https://hacken.io/discover/lazarus-group/"},{"date":"2023-11-01","event":"OFAC sanctions Sinbad.io virtual currency mixer for laundering Lazarus Group funds from Ronin Bridge and Horizon Bridge heists","source":"","source_url":"https://home.treasury.gov/news/press-releases/jy1933"},{"date":"2024-05-31","event":"DMM Bitcoin (Japan) loses $308M in Bitcoin via supply-chain attack traced to TraderTraitor operative posing as recruiter to compromise Ginco developer. FBI and Japan NPA jointly attribute the attack","source":"","source_url":"https://2021-2025.state.gov/office-of-the-spokesperson/releases/2025/01/joint-statement-on-cryptocurrency-thefts-by-the-democratic-peoples-republic-of-korea-and-public-private-collaboration/"},{"date":"2024-07-18","event":"WazirX (India) loses $234.9M; Lazarus Group manipulates multisig smart contract during signing session. ZachXBT traces test transactions to July 10 and notes Tornado Cash funding of attacker addresses","source":"","source_url":"https://finance.yahoo.com/news/north-korean-lazarus-groups-200m-041020035.html"},{"date":"2025-01-14","event":"United States, Japan, and South Korea issue first-ever trilateral joint statement on DPRK cryptocurrency theft, citing over $659M stolen in 2024","source":"","source_url":"https://2021-2025.state.gov/office-of-the-spokesperson/releases/2025/01/joint-statement-on-cryptocurrency-thefts-by-the-democratic-peoples-republic-of-korea-and-public-private-collaboration/"},{"date":"2025-02-21","event":"Bybit exchange hacked; ~499,000 ETH (~$1.5B) stolen via Safe wallet supply-chain attack. TraderTraitor actors inject malicious code targeting Bybit-specific transactions","source":"","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-02-26","event":"FBI issues IC3 PSA250226 attributing Bybit hack to North Korean TraderTraitor; releases 51 Ethereum addresses used in laundering. ZachXBT independently identifies Lazarus Group via wallet linkage and receives $50K Arkham bounty","source":"","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-03-05","event":"Lazarus Group alleged to have laundered 83% of stolen Bybit ETH (~$1B) through THORChain, converting to Bitcoin distributed across 6,954 wallets; THORChain earns ~$5.5M in fees. Several THORChain developers resign after community votes against blocking laundering","source":"","source_url":"https://securityonline.info/bybit-hack-lazarus-group-launders-1-4-billion-in-ethereum-through-thorchain/"},{"date":"2025-12-01","event":"North Korea-linked hackers confirmed to have stolen over $2.02 billion in 2025 — a 51% year-over-year increase — representing the worst annual total on record","source":"","source_url":"https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html"},{"date":"2026-03-12","event":"OFAC sanctions six individuals and two entities for DPRK IT worker fraud schemes; designates 21 cryptocurrency addresses across multiple blockchains","source":"","source_url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"date":"2026-04-01","event":"Drift Protocol compromised in elaborate social engineering operation; North Korean proxies met Drift employees in person at conferences and made deposits over $1M to appear as legitimate partners before exploiting the protocol for $285M","source":"","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"}]},"v":1}