We are living in rather frightening times. Not only are we threatened by conventional wars, but there are also cyber conflicts going on in the background. Governments are even collaborating with hackers to carry out attacks on the infrastructure of hostile countries on their behalf. The most famous hacker organization in the world is the Lazarus Group, whose services are used by the Kim regime.
Why did North Korea become a pirate?
Before we go further, it's worth explaining why North Korea is pursuing this policy at all: for what reason is it behind large-scale hacking attacks? It's all about the sanctions the West has imposed on the country. Or more precisely: the Kim regime's attempt to prevent the creation of a powerful nuclear weapons arsenal.
The country was sanctioned by the UN and the European Union back in 2006. The policy was tightened after Kim Jong Un backed Russia following that country's invasion of Ukraine. Today, there is a ban on the export and import of, among other things, weapons, precious metals, new helicopters and ships, and any materials that could help expand the nuclear military.
But why does North Korea want nuclear weapons? After all, as the above description shows, it only generates problems for it. However, the Kim regime must have this type of weaponry because it follows from Pyongyang's history. North Korea is located in such a place where it is theoretically threatened by South Korea and Japan. On top of that, memories of the Korean War, in which some 1.6 million citizens - soldiers and civilians - were killed, are still vivid in the country. It is also a historical fact that some US military elites even analyzed the idea of dropping a nuclear bomb on Korea.
So the Pyongyang authorities have a dilemma: on the one hand they need - in their mind - nuclear weapons - but at the same time they are cut off from Western capital and markets with the materials needed to construct such weapons. That's why they decided years ago to fund nuclear weapons research with stolen cryptocurrencies. Or at least that's what a UN report on why the Kim regime is stealing digital assets shows.
Lazarus Group
Let's now turn to the Lazarus group, which is supposed to cooperate with North Korea and carry out hacking attacks on blockchain projects on behalf of the country (but not only - more on that in a moment).
It's worth clarifying a myth at the outset. Many people's perception of Lazarus is that it is the cyber army of North Korea. - in fact, however, we are not dealing with a centralized organization. There are many indications that “Lazarus” is a broader hacking community, the various parts of which are engaged in carrying out various forms of attacks.
The roots of Lazarus are probably in Office 121, which is about a special unit that is used by Pyongyang in cyberwarfare. This also leads us to Office 39, which deals with intelligence, and Office 38, which is responsible for the country's financial activities.
The Lazarus Group initially focused on traditional financial systems - carrying out attacks on central banks and financial institutions, for example. Its portfolio includes a successful attack on the Central Bank of Bangladesh in 2016, during which it managed to steal as much as $81 million. This was augmented by massive ATM thefts in Asia and Africa, which occurred as a result of hacking the IT systems of local banks. Cybercriminals are known to have attacked targets in many different countries around the globe, including Poland.
Kaspersky Lab has analyzed how Koreans break into the systems of such important institutions. It turns out that they simply take advantage of human errors, such as the failure of such entities to have up-to-date software. Added to this are direct attacks on employees - “planting” links to infect their computers, which then allows hackers to get into the systems of companies and institutions. According to Kaspersky Lab, the group's individual branches spend weeks analyzing their victims' systems and so, step by step, plan their attacks.
Lazarus is used not only for financial purposes, but also for propaganda. When the film “Interview with the Sun of the Nation,” which ridiculed Kim Jong Un, was made in Hollywood, cybercriminals hacked Sony Pictures' server and made it leak. Obviously not to promote it further, but to generate losses for the film giant.
Attacks on cryptocurrency projects
It was a matter of time before Lazarus became interested in the cryptocurrency market. The anonymous transfers that blockchain guarantees are ideal for Korea, which wants to circumvent sanctions.
One of the most notorious successful attacks by the Koreans was the attack on the blockchain platform Axie Infinity in March 2022. The criminals managed to seize $620 million in USD Coin tokens and ether. It turned out that the “culprit” was one of the employees of Sky Mavis, the developer of Axie Infinity. He was contacted via LinkedIn by a person who offered him a job. She sent him a PDF file with information about the offer, with the help of which a virus was uploaded to the programmer's hardware. Then the criminals managed to use Axie DAO, the organization to manage Axie Infinity, to take over more nodes in the ecosystem, and that was enough to carry out the attack.
"Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This was seemingly terminated in December 2021, but access was not revoked, Sky Mavis conveyed in a blog post. - Once the attacker gained access to Sky Mavis' systems, he was able to obtain the Axie DAO validator signature"
- was conveyed in the Sky Mavis announcement.
The Lazarus group also successfully attacked the KuCoin ($275 million loss) and Coincheck ($530 million loss) exchanges. The record was broken in February 2025, when the Bybit exchange was successfully robbed of $1.5 billion (in ETH and stETH). Interestingly, the hackers seized funds from the company's cold wallet.
"The transfer was part of a planned transfer of ETH from our “ETH Multisig Cold Wallet” wallet to our hot wallet. Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, allowing the attacker to take control of the “ETH Cold Wallet” wallet. As a result, more than 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address"
- was stated in the official announcement that was published on the website of the robbed platform.
We also learned about the creative way Lazarus operates in 2020. The case involves a lesser-known cryptocurrency exchange and to this day is not often mentioned although it shows what Lazarus is capable of. In turn, however. The hackers first created a very realistic-looking website and its social media accounts. In the process, they “set up” the company WFC Proof, which offered the Worldbit-bot, a trading bot whose services were offered to the DragonEx exchange. And although Worldbit resembled an ordinary trading bot, a virus was embedded in its code that could help hackers take control of DragonEX's systems. However, everything happened, so to speak, “at the request” of the exchange, which simply agreed to install the bot itself - adding it to its systems. In this way, the hackers stole the private keys to the company's hot wallet and robbed it of $7 million.
Pirates of the modern world
The activities of the Lazarus group pose a serious threat to cyber security around the world. Currently, international communities are stepping up their efforts to strengthen their own cyber defense systems and prosecute those responsible for the attacks. The effectiveness of these efforts remains a problem. There are many indications that Korean hackers continue to go unpunished.
