The crypto and decentralized finance sector is constantly expanding its boundaries with new developments such as institutional ETFs, tokenized real-world assets, and regulatory clarity in many countries. These new developments are boosting mainstream adoption. Despite all these major developments, the crypto sector is struggling with issues related to the security of users’ funds. Hackers are constantly searching for opportunities to target these loopholes and exploit these weaknesses present in the rapidly growing digital asset sector.
According to an official report from Chainalysis, more than $3.4 billion worth of funds locked in cryptocurrency were compromised in 2025. North Korean hackers, mainly linked to the infamous Lazarus Group, are alone responsible for around $2.02 billion of the total amount of stolen funds. This is the direct jump of around 51% from 2024. While the white hat hackers and cybersecurity experts are continuously working to protect the crypto sector against these bizarre hacks and exploitation, the scale of these attacks is still large and scaring away users.
What is the Lazarus Group?
The Lazarus Group, which has also been nicknamed APT38 or TraderTraitor in many operations, is a state-sponsored hacking group controlled by the Democratic People’s Republic of Korea and linked to the North Korea Reconnaissance General Bureau. This agency is also working as North Korea’s main intelligence agency.
According to some experts, Lazarus Group is directly working under the government’s instructions to generate revenue for the government by executing bizarre cyber attacks on financial institutions. The stolen money from the hacks is directly used to support North Korea’s nuclear and missile programs. At the same time, these hacks help the country to overcome international sanctions.
Many people think that this is the only independent group. But in reality, it is an umbrella organization that consists of a large number of different hacking units. It has executed many cyber operations for many years, initially starting with cyber attacks on banks, media companies, and important infrastructure. For the last few years, the group has directed its focus on the booming crypto sector because digital assets are a soft target, and they can easily launder funds in crypto in comparison to fiat currencies.
Lazarus Group’s History of Major Hacks in the Crypto Industry
In the crypto sector, Lazarus Group has been active since 2017, after the crypto sector came into the limelight. In early years like 2017 and 2019, this group has launched cyber attacks on cryptocurrency exchanges like Upbit in 2019, in which the platform suffered a loss of around $50 million. A similar cyber attack took place in 2020 on KuCoin, in which hackers siphoned off around $275 million. However, a large portion of these funds was recovered after a few months.
In 2022, the Lazarus Group launched one of the biggest cyber attacks in DeFi history. This attack had taken place on the Ronin Network bridge, and it resulted in the loss of over $620 million, making it the biggest hack in the crypto sector. The Ronin Bridge was linked to the popular Axie Infinity Game. In the official document, the Federal Bureau of Investigation acknowledged that this attack was directly linked to the Lazarus Group.
In the same year, the group also exploited Harmony Horizon Bridge, where hackers stole approximately $100 million.
In 2023, the crypto sector also witnessed a major cyber attack from the group. Some popular hacks included the Atomic Wallet hack, where the platform suffered a loss of around $100 million. Apart from this, the Stake.com hack took place in the same year, where users lost around $41 million. This attack was also confirmed by the FBI that Lazarus Group was behind this attack. There are other platforms like CoinEx, Alphapo, and CoinsPaid also faced hacks from the same group. In total, there were millions of dollars of funds in crypto stolen by the Lazarus Group in the entire year.
In 2024 and 2025, the scale of these attacks was increased unusually. According to some reports, Lazarus Group was behind the biggest hack of 2024 on an India-based cryptocurrency exchange, WazirX, where users lost around $235 million.
The biggest unfortunate incident happened on February 21, 2025, with the hack on Bybit exchange, which is the largest single cryptocurrency theft ever happened. In this attack, hackers smartly stole around $1.5 billion in Ethereum and other assets.
Lazarus Group’s Pattern to Execute Cyber Attack on Crypto Platforms
In the last few years, Lazarus Group has launched numerous types of attacks on the crypto sector, from the exploitation of small bugs to smartly designed social engineering attacks. Here are some of the popular techniques these North Korean hackers use:
-
- Social Engineering – In this type of cyber attack, hackers create fake jobs or profiles on Social media platforms to inject malware through technical interviews.
- Insider Access – North Korean hackers are well-trained in attacking and taking control of third-party tools or software. They do this by giving bribes to IT workers present in IT companies. For example, during the cyber attack on Bybit, they injected malicious code into the wallet software. This has deceived operators in verifying and approving transactions to addresses linked to hackers.
- Attack on Private Key – In the past, so many times, the Lazarus Group had targeted hot wallets, bridges, or multi-signature infrastructure.
- Laundering – After stealing money, Lazarus Group’s hackers quickly move stolen funds through bridges, mixers, and others.
Apart from these common patterns, the group has reportedly launched campaigns like “Mach-O Man”. This campaign is mainly targeting macOS users in the crypto or other fintech sectors through malware by using routine communications.
How Authorities and the Crypto Sector Are Fighting Against the Lazarus Group
The United States Treasury Office of Foreign Assets Control (OFAC) has imposed sanctions on the Lazarus Group, along with entities linked, including cryptocurrency addresses linked to this attack.
Apart from this, there is an international coalition formed against such a hacking group to counter their filthy motives. From time to time, different law enforcement agencies have seized funds before it launder and used by the North Korean regime to develop their missile arsenal.
The crypto sector is also working on efforts to develop counter anre proactive measures to fortify the industry against cyber attacks. Chainalysis, one of the leading blockchain analytics companies, is actively working to identify the trace of stolen funds and help in recovery.
Despite all of these efforts, it is an uphill task to stop the Lazarus Group’s operation completely, as they keep evolving their attacks.
Conclusion
North Korea’s Lazarus Group is the biggest nightmare for the crypto industry. While the sector is slowly getting regulatory clarity, constant cyber attacks on DeFi protocols, exchanges, and wallets are scaring away users and also raising questions about the guarantee of users’ funds.
This is why crypto-based platforms must take cybersecurity seriously and hire the best talent to reduce the chances of such attacks. Relying on only audits will not help. They must integrate a strong monitoring system along with new innovations to prevent hacks.
Also Read: How $292 Million Kelp DAO Hack Shook DeFi in 2026
