Investigating North Korea’s Cybercrime Groups

The North Korean organisation Lazarus Group has looted over $3 billion worth of cryptocurrency in the past six years, according to research.

Crypto theft has been an issue that cybersecurity analysts (and the crypto community) have battled with since the inception of the industry. With the decentralized nature of cryptocurrency, which allows transactional fluidity, it becomes easy for any tech-savvy nerd to capitalize on the structural weaknesses of any crypto exchange, wallet, or DeFi protocol, plunder millions from unsuspecting investors, and cripple critical infrastructure. Data from analytics company Chainalysis reveals that over $9.1 billion worth of cryptocurrency has been lost to hacks in the past three years.

This ongoing struggle comes with a twist when a state-sponsored, formidable foe plays a significant role in these crimes. Accounting for a third of all stolen crypto assets in 2022, crypto hackers linked to the Democratic People’s Republic of Korea (DPRK) are recognized for their intellectual and sophisticated strategy in executing hacks on unsuspecting victims. These cyber-literate phantoms operate from behind glowing screens, wielding keyboards like weapons and exploiting the very fabric of the cryptocurrency world to enrich a regime notorious for its nuclear ambitions and human rights abuses. As you progress in this article, we’ll uncover the origin of this sinister saga, how these notorious groups are formed, and the operations of these North Korean hackers.

Why is cybercrime surging in North Korea?

Unlike other countries where digital crimes are strongly condemned, North Korea embraces the culture of using the internet as its work space for committing all sorts of financial crimes. A major catalyst to this disaster is that the North Korean government relies on the proceeds from these heists to fund the production of weapons and missile programs. According to CSO, this motive goes beyond that of an average hacker (whose aim is usually to make a quick buck off an unsuspecting victim) and only shows how the line between cybercrime and state-sponsored aggression blurs into a shade of grey. Despite having a chaotic economic structure and a negative world view, North Korea boasts the best hackers to walk on earth and holds a robust record of elegant cyberattacks.

The government is able to achieve and sustain this status by recruiting intelligent and promising young talents out of school into cybercrime. They are groomed by the best tech wizards and given an early kick start in the job. American news and opinion site Vox revealed that these young prodigies are transferred to a special school in the country’s capital, Pyongyang, for five years and are then sent to train in China or Russia for a year. Kim Heung-kwang a former computer science professor in North Korea, explained that the system was similar to a pyramid scheme

“There is a pyramid-like prodigy recruiting system where smart kids from all over the country—students who are good at math, coding, and possess top analytical skills—are picked up to be grouped at Keumseong." (Kim).

Why would anyone want their child to be recruited to a life of cybercrime? Firstly, it’s not like they had a choice, but joining the program came with a lot of compelling rewards. Most citizens of the country are restricted from using the internet, but students in this program are given access to the internet, with the option of travelling abroad and having a house in the capital with their family. For most North Koreans, living in the capital is the best opportunity.

“The residences are communal, but by North Korean standards, it’s a great place to live.” (Kim).

These privileges have helped in the success of this program, which allowed the North Korean government to assemble an army of hackers with over 6,000 members. Vox outlines that training hackers has proven to be more cost-effective than building tanks or fighter jets.

“North Korea can’t use its conventional forces without risking war, but it can launch cyberattacks more safely. The internet allows North Korea a way to launch external attacks without actually crossing the border” (Vox).

Origin of North Korea’s cybercrime groups

It is practically impossible for an individual to effectively manage an army of cybercriminals; thus, these hackers are grouped into different groups and assigned various missions. For the context of this article, we would focus on one of the groups that have been a terror to the crypto industry, the Lazarus Group.

While the exact date isn’t certain, many investigators believe that Lazarus Group was formed in 2009; this is because researchers were able to link the group to a cyberespionage attack that spanned from July 2009 to 2012, known as “Operation Troy.”. The group made another big hit on November 24, 2014, when they attacked Sony Pictures Entertainment, a division of Sony Corporation, in a bid to express their disgust over a satire titled “The Interview,” which was produced to make fun of the North Korean leader. The hackers were able to penetrate the company’s email, social accounts, and database, leaking confidential information about its employees, finances, internal operations, and also unreleased films.  

Lazarus was also accused of being responsible for attacks on multiple banks between 2015 and 2016, including an Ecuadorian bank called Banco de Austro in 2015, which allowed the criminals to walk away with $12 million. The most notable attack during this period was the “2016 bank heist,” which involved the central bank of Bangladesh on February 4–7, 2016. It was a sophisticated $1 billion heist triggered by a malfunctioning printer.

The Lazarus Group, also known as the Guardians of Peace or WhoisTeam, has evolved from just a criminal group to an advanced persistent threat (APT) focused on cyberwarfare. With its immense growth, the group was divided into units, each specializing in a specific cyberattack. BlueNorOff is one of the three units that focuses on exploiting vulnerabilities in financial institutions and was allegedly responsible for the Bangladesh Bank heist.

How does Lazarus Group operate?

Lazarus concentrates on stealing sensitive information, espionage, and exploiting technical vulnerabilities. Their targets include financial institutions, the military, entertainment firms, and shipping companies, among others. The group achieves this usually through malware, ransomware, and various infiltration tools to subdue their victim’s security. They operate in stealth, ensuring that the victim only realises they’ve been attacked when the heist is done.

Crypto projects that were victims of the Lazarus Group

The North Korean organisation Lazarus Group has looted over $3 billion worth of cryptocurrency in the past six years, according to research from Recorded Future’s Insikt Group.

“North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally” (Recorded Future).


NiceHash is a crypto company founded in 2014 as a digital marketplace for buying and selling hashing power. The project was allegedly hacked by the Lazarus group on December 6, 2017.

“It’s December 4, 2017. Employees at NiceHash start to get phishing e-mails sent to them, which is a classic way in, of course. Sooner or later, because it’s a numbers game, it seems somebody at NiceHash inadvertently clicked on the e-mail, opened the link, opened the attachment, and got themselves infected.Geoff White.

The exact amount of what was lost isn’t completely certain, but many reports confirm that over 4,000 bitcoins were stolen, and at that time, BTC was trading around $15,000.

Horizon Bridge

Harmony’s Horizon is a cross-chain bridge that facilitates the transfer of cryptocurrencies between Harmony’s network and Ethereum. Horizon suffered an attack from Lazarus on June 23, 2022. The hackers stole over $99 million worth of cryptocurrency, swapped it for ETH, and moved the funds through the now-sanctioned Tornado Cash. The Harmony team tried to keep most information about the attack hidden as they worked with the Federal Bureau of Investigation (FBI), but the team confirmed in a medium post that private keys were compromised, which led to the exploit.

“The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorised transactions and take assets in the form of BUSD, USDC, ETH, and WBTC” (Harmony).

Ronin Bridge and Axie Infinity

The Ronin Bridge was a multi-signature bridge for transferring tokens between Ethereum and the Ronin chain. The bridge was built by Sky Mavis, the same company behind Axie Infinity. Being multi-signature meant that multiple validators needed to approve a transaction before it was executed. Ronin chain consisted of nine validators, of which at least five signatures were needed to execute a deposit or withdrawal. Lazarus Group hackers were able to gain access to five private keys, including Sky Mavis’s four Ronin validators and a third-party validator run by the Axie Infinity DAO.

On March 29, 2022, the Ronin team confirmed in an X (formerly known as Twitter) post that there was a security breach that caused the attackers to exploit the bridge for 173,600 Ethereum and 25.5 million USDC. Further reports from investigations revealed that the total amount lost to the hack was close to $612 million. Accessing the private keys allowed the attackers to liquidate the Ronin Bridge via fake withdrawals.

Response from the crypto community

This Ronin chain heist was considered to be the biggest crypto heist executed by the Lazarus Group as it involved an Ethereum side-chain, Ronin, and a play-to-earn game, Axie Infinity. According to reports from Nikkei Asia, this changed the way the crypto community and security analysts treated crypto thefts. “The Axie hack was a real turning point for this kind of threat activity," said Erin Plante, Vice President of Chainalysis. The magnitude of the heist led the government agency to adopt other strategies, including imposing the first-ever sanctions against crypto mixers, of which was the first to get sanctioned because of its ties to the Lazarus Group.

With advanced tools being adopted, security analysts are able to keep track of any security breach in real-time, but this doesn’t necessarily mean that funds stolen could easily be recovered, except transferred to a regulated exchange or swapped to Tether’s USDT. Though this relies on luck, it’s a step forward in mitigating hacks and making the crypto space safer for investors.

Sophisticated schemes or weak protocol structure

While it is effortless to accuse the attacker in any exploit event, it’s also important to take into account what the victims were doing wrong. Some Defi protocols fail in the area of securing their platforms and it gets perilous when investors need to trust the weak structure of these platforms, those that do get an audit from a security firm still get exploited. In a now-deleted substack post, Sky Mavis admitted that the attack was caused by a backdoor which allowed the attacker access to the private keys of the node validators, the team was later accused of insider trading before the security breach was announced. The team only took the reasonable step of improving protocol security after they were exploited.

What’s Lazarus’s next move?

While everyone was celebrating the New Year 2024, Orbit Chain, a cross-chain protocol, was attacked and lost $81 million after hackers exploited the bridge. According to Defillama, Orbit Chain suffered a heavy decline in TVL as its value dropped from $161 million to $65 million (currently).

Taylor Monahan, a developer at MetaMask expressed in an X post that the attack on Orbit resembled previous heists by the DPRK hackers. “Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter.” – Taylor

Data from onchain intelligence company Arkham reveals that a wallet linked to the Lazarus Group withdrew $1.2 million worth of bitcoin from a coin mixer. With this fascinating behavior from the deadly cyberwarfare group, it begs the question, who’s next?