Cryptocurrency - Geopolitics

The Lazarus Group: North Korea Versus The World

An Advanced Persistent Threat To Global Cybersecurity

The Crypto Kiosk
Published in
7 min readFeb 11, 2024


Cover on Pixabay (background)

From the Sony Pictures hack to the WannaCry ransomware attack, the notorious Lazarus Group has been relentless in its pursuit of mayhem and destruction, exploiting systemic weaknesses and looting billions.

The exact magnitude of these hacks is not entirely known.
The authoritarian regime in North Korea is utilizing this vile practice to empower its position while sustaining absolute control of 26 million people and evolving as a global threat to peace and stability by constantly pursuing to upgrade its nuclear arsenal.

The attacks have expanded beyond traditional finance into the realm of cryptocurrency, with the influx of approximately $3 billion in crypto funds to the North Korean regime in just the past few years alone.

The vast flow of funds into this autocratic regime is alarming. As we delve deeper into this issue, it’s clear that the implications reach beyond mere financial loss. The threat to global security is dire, especially as we examine the actions of the Lazarus Group.

The Lazarus Group (a.k.a. APT38)

The Lazarus Group is widely perceived to be a state-sponsored hacking organization, operated by the North Korean regime.

The group has been active since 2009 and has engaged in disastrous sophisticated attacks against the infrastructure of financial institutions globally.

The group goes by many names such as:

  • Lazarus Group
  • APT38
  • Bluenoroff
  • 414 Liaison Office
  • Bureau 121
  • TEMP.Hermit
  • BeagleBoyz
  • Stardust Chollima

(The techniques and software this hacking group uses are analyzed here).

In an unpublished report, the UN has recently evaluated the crypto thefts by the North Korean state-sponsored hacking team Lazarus Group up to $3 Billion, though the exact amount is likely higher.

Here are some of the most notable hacks the Lazarus Group has performed in chronological order:

Between 2009 and 2013, the group attempted to damage South Korean online foundations while targeting them with DDoS (Denial of Service) attacks.


  • Sony Pictures Hack

The escalation of the group’s operations was initiated in 2014 when the group carried out the infamous Sony Pictures hack, and proceeded with a data dump of unreleased movie material and private information of employees of the company, as well as scripts and plans, while also causing damage by spreading malware that erased data from Sony’s internal network.

The reason for the attack was the expected release of a new film called “The Interview”, which would present a fictional scenario of an assassination attempt against North Korea’s leader.

The movie’s release in cinemas faced delays, and after an initial limited launch, it was ultimately withdrawn. It was released later in several formats on live streaming services and DVD.

The immediate cost to Sony Pictures amounted to $15 million, yet this figure did not include the subsequent withdrawal of the film from cinemas nor the expenses incurred for heightened security measures, which both Sony Pictures and other corporations in the entertainment sector had to bear.


  • Banco del Austro in Ecuador: $12 million

This attack was the first in a series of bank heists that targeted SWIFT’s inter-banking systems. Some security experts (Symantec) linked all these attacks to the Lazarus Group (source).

“We’ve never seen an attack where a nation-state has gone in and stolen money,” Mr. Chien added. “This is a first.”


  • The Bangladesh Bank Heist: $101 million

The NSA published detailed findings on the case that link the North Korean hackers to this heist (source).

In February 2016, the attack was executed after the Lazarus Group had been preparing it for months by acquiring control of the bank systems, installing malware to erase their traces, and using various accounts in several other banks to launder the money.

DPRK hackers send 36 fraudulent payment orders for nearly $1 billion to the New York Fed.

Although most of these payments were blocked, five transactions went through, resulting in the theft of $101 million from the Bangladesh Bank.


  • Wannacry Ransomware

The catastrophic cost of this ransomware is unknown. The worm (malware that automatically spreads between systems) affected millions of computers globally, by locking down access and demanding ransom in cryptocurrency.

According to Wikipedia, the NSA had developed an exploit (EternalBlue) for Windows systems, which was leaked by another hacking team. Within a month, the Lazarus Group transformed it into one of the most malicious and catastrophic malware ever.

The cost of this attack amounted to billions of dollars, although the evaluation is probably impossible.

Within days, 51BTC (~$150 million) was transferred to the hackers’ address indicated by the malware.

In 2017, the US confirmed North Korea was behind the attack.

  • Far Eastern International Bank: $60 million

A Taiwanese bank was also targeted, with the Lazarus Group exploiting the SWIFT network to siphon $60 million (source).

In 2017, Lazarus also focused on spreading malware via spearheading attacks targeting cryptocurrency owners and hacking exchanges from South Korea.

  • Bithumb: $7 million
  • Youbit: $6 million + (Undisclosed amount)

These two South Korean exchanges are the first known attacks of the group against cryptocurrency-related structures.

At least 4000BTC were stolen in two hacks, with Youbit declaring bankruptcy.

  • NiceHash: ~$75 million (4,736 BTC)

The Lazarus Group in 2017 hacked the cryptocurrency mining market Nicehash and stole 4736BTC worth approximately $64 million.

The hacking indictment filed in the U.S. District Court in Los Angeles says that Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking.

(source: Nicehash)


  • BANCOMEXT (Mexican Bank): $20 million
  • Bank Of Chile: $10 million


  • DragonEx (crypto exchange): $7 million (source)



The group engaged in various attacks and launches of new malware (MATA framework) exploiting financial and industrial networks.


  • Axie Infinity: $620 million in Axie Tokens (source)
  • Harmony: $100 million worth of ETH (source)


  • Atomix Wallet: $35 million (source)
  • Coinspaid Payment Provider: $37 million (source)
  • Alphapo Payment Provider: $60 million (source)
  • $41 million in crypto (source)

The list contains countless more attacks against the financial and industrial infrastructure of economies around the world.

North Korea has targeted entities worldwide, with the exception of China, as it is believed that China serves as a base of operations for the Lazarus Group and other state-sponsored hacking activities.

Due to the limitations in internet infrastructure in the country (low number of IPs), the group has to operate from different regions.

International Arrest Warrants And More Threats


The FBI has identified North Korean citizen Park Jin Hyok as the mastermind of the Lazarus Group operations and issued an international warrant.

Besides the Lazarus Group, two other notorious hacking groups have largely profited from crypto-ransomware extortion, although not connected with the North Korean regime.

Black Basta and cl0p are two hacking groups that have utilized ransomware to extort more than $100 million funds each, with the first one employing a sanctioned Russian exchange (Garantex) for laundering these digital funds.

In Conclusion


North Korea has profited from cyber warfare, with the Lazarus Group wreaking havoc and imposing significant costs on the industries and economies it targets.

Cybersecurity education can mitigate the potential impact of future attacks. Improving security systems, with regular updates and improved authentication techniques, will fortify defenses and safeguard functionality.

While corporations have sought to minimize cybersecurity costs, recent attacks have demonstrated their potentially devastating consequences, raising questions about the long-term viability of businesses, government structures, and industries.

As cyber-attacks grow in frequency and complexity, companies must prioritize investments in technology, personnel training, and resources to protect their data and systems.

Neglecting security measures can lead to substantial financial losses, and reputation damage and jeopardize the long-term sustainability of businesses.

Therefore, implementing robust security becomes paramount to counter the threats of cyber attacks.

Also Watch:

More Stories By Pantera:

👉 (BCH donations)

👉 LinkTree (my links)

Don’t forget to Subscribe and Like if you enjoyed this story!



The Crypto Kiosk

Sharing my seven years of experience with cryptocurrencies.