On February 21, 2025, the cryptocurrency exchange Bybit suffered a catastrophic breach, losing approximately $1.5 billion worth of Ethereum in what is now recognized as the largest theft in cryptocurrency history.
The attack has been attributed to the notorious Lazarus Group, a hacking collective with deep ties to North Korea. The scale of this theft has sent shockwaves through the crypto community, raising urgent concerns about security and the implications of state-sponsored cybercrime.
The hack was characterized by sophisticated techniques that exploited vulnerabilities in Bybit’s security infrastructure. According to Ben Zhou, co-founder and CEO of Bybit, attackers used a “masked” user interface (UI) and URL to deceive wallet signers into approving malicious transactions. This manipulation allowed them to alter the smart contract logic governing Bybit’s Ethereum cold wallet, which is designed to store cryptocurrencies offline for enhanced security.
Blockchain analytics firms such as Arkham Intelligence and Elliptic quickly identified patterns linking the attack to previous exploits attributed to the Lazarus Group. Arkham’s investigations revealed that the stolen Ethereum was transferred to 53 different wallets, complicating efforts to trace and recover the funds.
Zhou reassured users during a live session on X, stating, “Rest assured that all other cold wallets are secure,” and emphasized that client assets remain fully backed on a 1:1 basis.
Despite these assurances, the incident triggered a wave of withdrawal requests from anxious clients, reflecting widespread concerns about potential insolvency. In response, Zhou confirmed that Bybit had engaged undisclosed partners for bridge loans to cover any recoverable losses and ensure continued operations.
Amid this devastating hack, one question keeps resurfacing: Who exactly is the Lazarus Group? Let’s take a closer look at this elusive collective, their origins, tactics, and the staggering scale of their operations.
Who is the Lazarus Group?
The Lazarus Group, also known as APT38, is a well-known Advanced Persistent Threat (APT) entity linked to North Korea’s Reconnaissance General Bureau. Active since around 2009, the group has transitioned from traditional espionage to large-scale cybercrime, primarily targeting financial institutions and cryptocurrency exchanges.
Their attack methods are highly sophisticated and constantly evolving. They leverage advanced social engineering techniques, exploit zero-day vulnerabilities, and deploy custom-built malware such as RATANKBA and Manuscrypt. These capabilities have allowed them to execute high-profile cyberattacks with remarkable efficiency, making them one of the most feared hacking groups in the world.
The Lazarus Group’s reputation in the cryptocurrency sector has been cemented by a series of audacious heists.
Some of their most infamous attacks include:
- Ronin Network Hack (March 2022): A staggering $620 million was stolen from Axie Infinity’s blockchain bridge, marking one of the largest DeFi exploits in history.
- Atomic Wallet Theft (2023): Hackers siphoned approximately $100 million from this widely used crypto wallet, leaving thousands of users affected.
- Stake.com Breach (2023): A swift and calculated attack drained around $41 million from the online casino platform.
- Phemex Attack (2025): In another exchange-targeted assault, the group allegedly stole an estimated $73 million in assets across sixteen blockchains.
According to a Chainalysis report, in 2024 alone, the cryptocurrency sector witnessed $2.2 billion in stolen funds, a 21.1% increase from the previous year. And interestingly, it has been reported that the Lazarus Group looted an estimated $1.34 billion through various cryptocurrency hacks in 2024 alone.
While discussing the Lazarus Group, one crucial aspect we cannot overlook is its deep-rooted connection to North Korea.
The Broader North Korean Connection
The Lazarus Group’s ties to North Korea are well-documented, serving as a key tool in the regime’s efforts to circumvent international sanctions and generate revenue.
As North Korea faces economic restrictions due to its nuclear weapons program, cybercrime has become a crucial source of funds, with stolen assets believed to finance state projects, including military initiatives.
Cybersecurity experts estimate that North Korean hacking operations, including those attributed to the Lazarus Group, have generated billions for the regime. A Chainalysis report revealed that in 2023 alone, North Korea-linked cybercriminal activities accounted for nearly 20% of all cryptocurrency losses, totaling over $300 million.
Beyond financial theft, Lazarus Group attacks showcase North Korea’s technological advancements and cyber warfare capabilities. The 2016 Bangladesh Bank heist, where $81 million was stolen through the SWIFT system, exemplifies how cyber operations can undermine global financial stability.
U.S. intelligence agencies have linked Lazarus Group activities directly to North Korea’s military objectives. The Department of Justice (DOJ) describes these cyber operations as part of a broader strategy to “undermine global cybersecurity” while violating international sanctions.
Lazarus operates under North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency for cyber warfare. Reports suggest that within this framework, the group is linked to the 110th Research Center, which specializes in cyber operations. The RGB provides Lazarus with resources, including training, funding, and access to advanced technologies.
The group’s structure includes specialized sub-units. For example, cybersecurity firm Kaspersky Lab has identified Bluenoroff, a subgroup focusing on financial cyberattacks, while other factions engage in espionage and sabotage. This division of labor enables Lazarus to conduct sophisticated operations while maintaining operational security.
Lazarus Group’s activities have prompted global responses from governments and cybersecurity firms. The United States, Australia, Canada, New Zealand, and the United Kingdom have attributed major cyber incidents, including the WannaCry ransomware attack, to North Korean hackers. The 2017 WannaCry outbreak affected over 300,000 computers across 150 countries, exposing vulnerabilities in critical infrastructure worldwide.
How Lazarus Group Launders Stolen Crypto
Laundering stolen cryptocurrencies is an integral part of the Lazarus Group’s operations, enabling them to convert illicit gains into usable assets while obscuring their origins. Following successful attacks on exchanges like Bybit, the group employs a series of complex techniques to move and disguise stolen funds, effectively complicating tracing efforts by law enforcement agencies and blockchain analysts.
After siphoning funds, the Lazarus Group typically follows a multi-step laundering process:
- Initial Transfers: The stolen assets are first transferred through multiple wallets. This initial step separates the funds from their original source, making establishing a direct link to the hack harder.
- Use of Mixers: The group often utilizes cryptocurrency mixers, such as eXch or Sinbad.io, to further obfuscate transaction trails. Mixers work by pooling together funds from multiple users and redistributing them in smaller amounts. This process breaks the connection between the original source of the funds and their final destination.
According to Elliptic, the Lazarus Group laundered nearly $900 million in cryptocurrency in 2023 alone, significantly contributing to a broader trend where criminal actors increasingly rely on mixing services as traditional laundering methods face more scrutiny. - Cross-Chain Transfers: In addition to mixers, Lazarus employs cross-chain transfers to complicate tracking efforts. This involves rapidly converting stolen funds from one blockchain or token to another using various conversion services.
Elliptic reported that since June 2023, Lazarus has seized approximately $240 million in crypto assets through breaches at platforms like CoinsPaid and Atomic Wallet, utilizing cross-chain bridges to launder these funds effectively. - Multiple Mixing Rounds: The group often conducts several rounds of mixing before finally cashing out or reinvesting in other cryptocurrencies. For instance, after stealing $41 million from Stake.com in September 2023, they mixed the funds multiple times, combining them with assets from other hacks to further obscure their origins.
The complexity of these laundering techniques complicates tracing efforts for law enforcement agencies and blockchain analysts. While experts acknowledge that tracking these movements is challenging due to the anonymity provided by blockchain technology, it is not impossible.
Ongoing monitoring by firms like Elliptic aims to identify patterns that could lead to recovery efforts.
For example, in August 2023, the FBI intervened by urging cryptocurrency exchanges to halt transactions from wallets associated with the Lazarus Group. They provided a list of known Bitcoin addresses linked to the hackers in hopes of stymieing their money laundering activities.
Can the Lazarus Group Be Eradicated?
Eradicating the Lazarus Group is a formidable challenge, given its deep ties to North Korea and its sophisticated tactics. A concerted global effort involving economic sanctions, enhanced cybersecurity, and international cooperation is essential. While complete eradication may be elusive, these measures can significantly disrupt their operations.
Given the increasing sophistication of cyber threats, some might wonder if unconventional allies, like hacking collectives like “Anonymous”, could be enlisted. However, the ethical and legal implications of involving such groups are complex and potentially problematic.
Instead, governments and institutions should leverage more open-source intelligence and public-private partnerships to enhance collective defense capabilities within established legal frameworks. A multi-faceted approach offers the best chance of mitigating the risks posed by this persistent threat.
Editorial Note: This news article has been written with assistance from AI. Edited & fact-checked by Harshajit Sarmah.
