A group of people are currently seated at computers somewhere in Pyongyang, in a building that intelligence analysts have tentatively located in the Potonggang District. Not in a big way. Not in a war room with countdown clocks and red lighting. simply working. methodically, in shifts, and with the kind of concentration that results from being fully aware of the nature of the work and its intended audience.
Elliptic’s cryptocurrency investigators claim that the operation operates around the clock, only stopping for a few hours at a time. Dr. Tom Robinson, who has tracked their digital footprints for years, put it simply: a room full of people using automated tools, transferring cryptocurrency that has been stolen through a complex web of transactions intended to render the money untraceable before the rest of the world has a chance to respond.
| Category | Details |
|---|---|
| Group Name | Lazarus Group (also known as Hidden Cobra, ZINC, Diamond Sleet, Guardians of Peace) |
| Origin | Pyongyang, North Korea — allegedly Potonggang District |
| Parent Organization | Lab 110 and Bureau 121, Reconnaissance General Bureau |
| Active Since | c. 2009 (Operation Troy) |
| Total Estimated Theft | $3.4+ billion in cryptocurrencies |
| Largest Single Heist | $1.5 billion — ByBit Exchange, February 21, 2025 |
| Notable Past Attacks | Sony Pictures (2014), Bangladesh Bank ($81M, 2016), WannaCry ransomware (2017) |
| Primary Purpose | Funding North Korea’s nuclear and ballistic missile program |
| Key Technique | Spearphishing, zero-day exploits, LinkedIn social engineering, malware |
| Arrests Made | None in custody |
| Reference Website | fbi.gov — Lazarus Group |
The Lazarus Group is this. Not in spite of the lack of arrests, but in part because of them, they have emerged as the world’s most consistently successful financial criminals over the last fifteen years.
It’s hard to take in all the numbers at once. Since about 2007, hackers from the Lazarus Group have stolen an estimated $3.4 billion in cryptocurrency through numerous attacks on financial platforms, banks, and exchanges across several continents. On February 21, 2025, they broke into ByBit, a cryptocurrency exchange in Dubai, and stole $1.5 billion worth of Ethereum tokens.
This was the biggest cryptocurrency theft ever documented. An estimated $160 million of that had already been laundered in less than 48 hours. At least $300 million had been successfully transformed into money that blockchain investigators deemed unrecoverable in less than two weeks. Absent. absorbed in ways that virtually leave no trace into the financial system.
The scope of the ByBit heist is not the only reason it merits careful investigation. It’s the approach. Instead of directly breaching ByBit’s defenses, the attackers gained access to a third-party storage software provider that ByBit used to transfer Ethereum internally. They then surreptitiously changed the digital wallet address, causing money to flow to accounts controlled by Lazarus instead of the intended recipient. This type of attack necessitates months of planning, in-depth understanding of a target’s operational architecture, and the endurance to wait for the ideal opportunity. When the actual theft occurred, it was nearly undetectable. ByBit wasn’t even aware of what had happened right away.
Observing the Lazarus Group’s trajectory from the outside gives the impression that they have been methodically improving their capabilities for fifteen years in response to every defensive strategy the industry has used against them. The initial attacks, which began with Operation Troy in 2009, were comparatively direct: they used DDoS floods and Mydoom malware to launch distributed denial-of-service campaigns against South Korean government websites. Not very elegant, but effective enough.
By 2014, they were able to steal unreleased movies, executive emails, salary records, and personal information about about 4,000 employees by infiltrating a large company’s network for more than a year without being discovered. Seventy percent of Sony’s computers were destroyed in the attack. It was the first clear indication to the general public that this group was functioning differently from regular criminal hackers.
The 2016 Bangladesh Bank heist, in which Lazarus agents used the SWIFT international banking network to issue fraudulent instructions and successfully transferred $81 million before a misspelled word in one instruction raised a red flag and prevented further transfers, totaling nearly $1 billion, revealed something even more concerning: they were now targeting the global financial system’s infrastructure rather than just specific businesses.
The attack’s operational discipline—submitting 35 fraudulent transfer instructions via a genuine banking network—remains impressive. Five were successful. A spelling mistake stopped the other thirty. The theft might have been almost ten times greater in the absence of that error.
The obvious next frontier was cryptocurrency, which Lazarus entered with the same methodical patience. It has a structural appeal. Instantaneous cross-border transactions are possible with cryptocurrency without the need for traditional banks, which have compliance and reporting departments.
Although it may seem counterintuitive to criminals that blockchain records are public, anonymization techniques such as chain-hopping between tokens, mixing services, and using decentralized exchanges can sufficiently obscure the money trail to make recovery nearly impossible. According to Dr. Robinson at Elliptic, North Korea is the most adept at laundering cryptocurrency out of all the criminal organizations involved. That’s not a lighthearted remark. It’s an expert evaluation from a person who monitors this for a living.
Coverage that concentrates on the technical exploits usually ignores the social engineering aspect. Before launching phishing attacks, Lazarus agents have been pretending to be recruiters on LinkedIn, sending connection requests to security researchers, blockchain developers, and exchange workers. Over the course of weeks or months, they have developed a genuine professional rapport. It’s not a grab-and-go.
Running concurrently across dozens of targets, it’s more akin to a long con, waiting for one to click the incorrect link or open the incorrect attachment. Several cryptocurrency firms found in 2024 that individuals they had hired as reputable IT contractors were, in fact, North Korean agents who had been inside their systems for months before anyone noticed.
It’s difficult not to find this accountability gap to be extremely concerning. Wanted notices have been issued by the FBI. Attacks have been officially linked to North Korean government actors by the US Department of Justice. Blockchain analytics companies have frozen some stolen funds in the middle of transfers, addresses have been blacklisted, and sanctions have been imposed. And yet. There has never been an arrest or prosecution of any member of the Lazarus Group. As far as the public can tell, the masterminds behind the biggest financial heist in cryptocurrency history are still working on the next one from their computers in Pyongyang.
The majority of analysts concur that the funds go directly toward North Korea’s development of ballistic missiles and nuclear weapons. This implies that the affected cryptocurrency exchanges are unintentionally funding a weapons program in addition to losing investor money. Compared to a typical financial crime story, that framing tends to land differently. It ought to.