Who is the Lazarus Group, and how did they steal over $1.5 billion in crypto?

The Lazarus Group: North Korea’s Cybercrime Syndicate and the $1.5 Billion Crypto Heist

The Lazarus Group is a notorious cybercrime organization linked to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. Known for its sophisticated and high-profile attacks, the group has targeted financial institutions and cryptocurrency exchanges worldwide. In February 2025, the Lazarus Group made headlines by stealing $1.5 billion from the crypto exchange Bybit, marking the largest cryptocurrency hack in history. This incident revealed not only the group’s technical prowess but also its evolving strategies to evade detection.

Who is the Lazarus Group?

The Lazarus Group operates as a cyber warfare unit under North Korea’s RGB. Its activities are believed to fund the regime’s military and nuclear programs, circumventing international sanctions. The group has been implicated in numerous cyberattacks, including the 2014 Sony Pictures hack, the WannaCry ransomware attack in 2017, and multiple cryptocurrency thefts. Over the years, the Lazarus Group has refined its tactics, shifting from direct attacks on exchanges to exploiting vulnerabilities in supporting infrastructure.

The $1.5 Billion Bybit Hack: How It Happened

Initially, the Bybit hack was thought to be a phishing scam, but investigations uncovered a far more sophisticated operation. Instead of targeting Bybit directly, the Lazarus Group compromised Safe{Wallet}, a widely used digital wallet system integrated with the exchange. By inserting a backdoor into the wallet’s software, the hackers gained access to users’ funds without triggering immediate alarms.

Key Tactics Used in the Attack

1. Infrastructure Exploitation: The Lazarus Group focused on the underlying systems supporting crypto exchanges rather than the exchanges themselves. This indirect approach made detection more difficult, as security teams often prioritize protecting exchange platforms over third-party services.

2. Stealth and Delayed Theft: The hackers siphoned funds gradually, avoiding large, suspicious transactions. By spreading the theft over time, they minimized the risk of triggering automated security alerts.

3. Money Laundering Techniques: After stealing the cryptocurrency, the group employed advanced laundering methods. They split the $1.5 billion into smaller amounts, funneled them through hundreds of digital wallets, and eventually converted the funds into Bitcoin (BTC). According to Chainalysis, the Lazarus Group often holds stolen assets for months or even years before cashing out, further complicating tracking efforts.

North Korea’s Broader Cybercrime Campaign

The Bybit heist is part of a larger pattern of North Korean cyberattacks on the cryptocurrency industry. The United Nations estimates that from 2017 to 2023, North Korea stole approximately $3 billion through crypto hacks. In 2024 and 2025 alone, the regime plundered $1.7 billion from two major exchanges, WazirX and Bybit.

The Lazarus Group is not the only North Korean hacking faction. Other groups, such as AppleJeus, Dangerous Password, and Spinout, employ varied tactics like phishing, fake job offers, and malware disguised as legitimate software. These groups often collaborate, sharing tools and techniques to maximize their effectiveness.

Global Response and Challenges

Law enforcement agencies have intensified efforts to combat North Korean cybercrime. The FBI has identified and indicted several alleged Lazarus Group members, including two individuals charged in 2021 for global cybercrimes. However, the group’s ability to adapt and its ties to a nation-state make it a persistent threat.

The Bybit hack underscores the need for stronger security measures in the crypto industry, including:

- Enhanced wallet security protocols.
- Improved monitoring of third-party services linked to exchanges.
- Tighter anti-money laundering (AML) regulations to track and disrupt fund laundering.

Conclusion

The Lazarus Group remains one of the most dangerous cybercrime entities in the world. Its $1.5 billion theft from Bybit demonstrates a shift toward more covert and sophisticated methods, targeting the infrastructure that supports crypto exchanges rather than the exchanges themselves. As North Korea continues to refine its hacking strategies, the global financial and cybersecurity communities must adapt to counter this evolving threat. Understanding the Lazarus Group’s operations is critical to developing effective defenses and safeguarding the future of digital assets.