Using Lazarus Group monikers, the state-backed North Korean hackers stole billions of dollars worth of code within a decade. Their operations have made North Korea the fifth largest country in terms of holding Bitcoin. According to a UN report, nearly half of the costs of North Korea’s nuclear program are covered via stolen codes.
The Lazarus Group has been mentioned in the news recently. According to Arkham Intelligence, as of March 17, 2025, Lazarus Group holds approximately $1.14 billion in BTC. Recently, the Lazarus Group has converted stolen ETH funds into Bitcoin. The latest estimates show that the Democratic Republic of Korea is the owner of 13,518 BTC following the buy-bit hack and money laundering work. After the US, China, UK and Ukraine, they will place countries ahead of Bhutan and El Salvador in terms of holding BTC.
read more: North Korea jumps Bhutan in El Salvador at Bitcoin Holdings after Bitcoin Hack
That same day it was reported that OKX had to suspend Dex aggregator following consultations with authorities. Exchange employees reportedly detected coordinated attempts by the Lazarus Group to access DEX aggregators. On March 11, Bloomberg reported that EU authorities were investigating OKX Web3 services in connection with the Buybit Hack and the associated money laundering work.
On March 10, 2025, the Socket Investigation Team revealed that the Lazarus Group had invaded the NPM ecosystem into six malicious packages intended to steal qualifications, extract cryptocurrency data, violate developer space and carry out other malicious activities. The package mimics the names of popular, trusted libraries. Five other packages have been placed on GitHub.
On February 21, North Korean hackers were able to commit the biggest robbery in history, stealing $1.4 billion worth of cryptography from Bibit Exchange, according to Elliptic.
Lazarus group attack
Not much is known about the Lazarus group. However, the group’s earliest cybercrime dates back to 2009. This group serves as a highly persistent threat (and the Lazarus group is known as APT38). It uses stolen assets to undermine global cybersecurity while compensating for North Korea’s poor economic situation manned by sanctions.
For the first few years, the group targeted major banks. In 2017, hackers demanded a ransom for the BTC during a massive aspirant attack caused by the Lazarus group. In the same year, Lazarus shifted his focus to the crypto sector. The first goal was the US-Korea crypto exchange.
In a string of business in 2017, hackers stole Crypto from NiceHash and Crypto exchanges Bithumb and Youbit on the mining power marketplace. In 2022, Lazaro Hacker stole $615 million worth of codes from the Ronin Network. Over 17% of all ciphers stolen in 2023 are attributed to Lazaro Hack. Warzix and Bybit were the latest massive crypto exchange hacks carried out by the Lazarus Group.
What puts the Lazarus Group in a special position is that this unit is supported by the government. This is against most countries. The institutions and individuals affected by the Lazarus Group’s attacks were the United States, China, Russia, South Korea, Vietnam, Kuwait and many other countries.
The group’s complete criminal acts do not result in prosecution in their hometowns, as the government appears to support them. Given the fact that North Korea’s Internet is under state control, there is no possibility that hacker groups’ activities will not be approved or sponsored by the government.
Compared to Moscow, Pyongyang doesn’t care much about its international reputation. This fact provides a hacker cult blanche, allowing them to act even more recklessly. Hackers are reportedly trained at several universities in China and North Korea.
Some of the attacks (such as the 2017 Aspiring Attack) are mostly characterized by economic motivation, but rather are intended to invoke panic and chaos abroad. However, later attacks on crypto platforms were linked to a massive amount of money stolen. Perhaps the money is going to patch holes in the North Korean budget.
This group consists of several subunits of different skills. According to a report from the NCC Group, hackers work systematically using a wide range of tools, taking time to prioritize being as undetectable as possible. Most often, the Lazarus Group is leaning towards social engineering tactics and large-scale phishing campaigns.
Cryptocurrency and North Korea’s nuclear program
According to a UN report, about half of North Korea’s foreign currency revenues are generated by government-sponsored hacker attacks. These funds are said to be used to fund the development of ballistic missiles. One of the anonymous sources mentioned in the report states that 40% of weapons of mass destruction development are funded through cybercrime money.
North Korea continues to test ballistic missiles. In 2023, it tested the hwasong18, a rocket that can carry several warheads and can fly over 15,000 km. 2022 was a record year in terms of rocket launches. The number was close to 90. The latest nuclear bomb test took place in 2017. The country has 50-100 bombs.
Last year, American journalist Annie Jacobsen released a book on Nuclear War: Scenario. The book is based on interviews with retired US executives who are knowledgeable about US nuclear protocols. It explains what will happen if North Korea attacks the US with a nuclear bomb. Jacobsen believes that in three-fourths of each, all nuclear forces exchange strikes and send humanity effectively to extinction in the harsh conditions of hunger and nuclear winters, it takes several years to effectively extinct.
This is my conversation with Anniejacobsen (@anniejacobsen) about nuclear war, CIA, Area 51, UFOs and government secrets. This was a terrifyingly fascinating conversation.
It’s completely here on X, and it’s on YouTube, Spotify and everywhere else. Comment link…pic.twitter.com/57f7b2cqmi
– Lex Fridman (@lexfridman) March 23, 2024
Apparently, it’s not something Nakamoto Atoshi dreamed of while creating Bitcoin. Unfortunately, prosecution of Lazarus Group Hackers is a tough task and is considered almost impossible. Over the years, only about half a dozen individuals have been charged, but the total staff includes over 1,000 hackers, with new members constantly being trained.
DW quotes an analyst at Aditya Das at Brave New Coin Company.
“If possible, it’s good to see real criminals, in contrast to the applications they use.
In most cases, prevention means limiting privacy and anonymity in the Defi and Web3 sectors to give you more control over the funds managed by hackers. The exchange, an anonymous platform, didn’t respond immediately to Bibit’s request to stop hackers from cashing out, allowing them to concentrate $90 million in ciphers before complying.
The focus on later cryptography emphasizes the convenience of the sector for Pyongyang in the collection of funds. That trained hacker is well versed enough to steal huge amounts of money through code. Most experts believe that the Lazarus group will not stop anytime soon. These new challenges require new solutions and find a good balance between privacy and crime prevention.
You might like it too: OKX suspends Dex Aggregator Service upon detection of North Korea’s Lazarus Attack
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
