Lazarus Group: The North Korean State APT Behind Crypto and Bank Heists

Who Is Lazarus Group

Lazarus Group (also referenced as HIDDEN COBRA, APT38, or Diamond Sleet) is an advanced persistent threat (APT) group attributed to North Korea's Reconnaissance General Bureau. Active since at least 2009, it is responsible for some of the most lucrative cyberattacks in history.

What makes Lazarus unique: its operations have a direct financial objective. The North Korean regime uses cybercrime as a revenue source to circumvent international sanctions. According to the United Nations, Lazarus stole over $3 billion in cryptocurrency between 2017 and 2023.

Major Operations

Bangladesh Bank (2016)

Lazarus compromised the SWIFT terminal at the Central Bank of Bangladesh and initiated fraudulent transfers totaling $951 million. $81 million was actually transferred before a typo in a beneficiary name alerted an intermediary bank. The attack exploited SWIFT network vulnerabilities and weaknesses in the bank's internal controls.

WannaCry (2017)

The WannaCry ransomware hit more than 200,000 computers in 150 countries, exploiting the EternalBlue vulnerability (CVE-2017-0144) in Windows SMB. The attack crippled the UK's National Health Service (NHS), Renault factories, and numerous businesses. Attribution to Lazarus was confirmed by the FBI, GCHQ, and Microsoft.

Ronin Network (2022)

The largest cryptocurrency theft in history: $625 million stolen from the Ronin bridge (Axie Infinity). Lazarus compromised 5 of 9 bridge validators using social engineering via fake LinkedIn job offers sent to Sky Mavis developers.

Bybit (2025)

The attack against the Bybit exchange platform enabled the theft of $1.5 billion in ETH. Attackers compromised the cold wallet management infrastructure by targeting platform developers through malicious applications.

Tactics, Techniques, and Procedures (TTPs)

Initial access: Lazarus primarily uses social engineering, notably fake job offers (Operation Dream Job). Targets are developers and engineers in the crypto industry. Offers contain weaponized documents or links to malicious sites.

Tools: the group uses custom malware (AppleJeus for crypto platforms, TraderTraitor for macOS, ELECTRICFISH for tunneling) and bespoke attack frameworks.

Persistence: backdoor installation in build systems, software supply chain compromise, modification of deployment tools.

Financial exfiltration: rapid conversion of stolen assets via mixers (Tornado Cash, Sinbad), cross-chain bridges, and mule accounts.

How to Protect Yourself

Verify job offers. If a LinkedIn recruiter asks you to install an application or open a document for a "technical test," it is likely an attack.

Separate environments. Developers with access to critical systems (wallets, signing keys) should not use the same machine for daily browsing.

Multi-signature governance. High-value transactions must require multiple independent signatures with separate validation channels.

Anomaly monitoring. Detect unusual connections, configuration changes, and atypical transfers.

Lazarus primarily targets crypto and fintech companies. If your business manages digital assets, regular security auditing is your first line of defense. CleanIssue identifies attack vectors before they are exploited.