Paradigm: Unraveling the Threat of North Korean Hacker Group Lazarus Group
TechFlow Selected TechFlow Selected
Paradigm: Unraveling the Threat of North Korean Hacker Group Lazarus Group
From organizational structure, attack methods, and defense strategies, discuss Lazarus Group—the perpetrator behind the Bybit hack.
Navigating Web3 tides with focused insightsAuthor: samczsun, Research Partner at Paradigm
Translation: Bright, Foresight News
One morning in February, the lights on the SEAL 911 group chat lit up—we watched in confusion as Bybit pulled over $1 billion worth of tokens from their cold wallet to a new address, then rapidly began liquidating over $200 million in LSTs. Within minutes, we confirmed through both the Bybit team and independent analysis (a multisig previously implemented using the publicly verified Safe Wallet, now using a newly deployed unverified contract) that this was not routine maintenance. Someone had launched the largest cryptocurrency heist in history, and we were sitting front row to the historical drama.
While part of our team (and the broader investigation community) began tracking funds and issuing alerts to cooperating exchanges, other members scrambled to understand what exactly had happened and whether additional funds were at risk. Fortunately, identifying the perpetrator was easy. Over the past several years, only one known threat actor has successfully stolen billions of dollars from cryptocurrency exchanges: North Korea, also known as DPRK.
However, beyond that, we had almost no leads. Due to the cunning nature of North Korean hackers and their sophisticated self-obfuscation techniques, it’s not only difficult to determine the root cause of an intrusion, but even challenging to identify which specific team within North Korea is responsible. The only thing we could rely on was existing intelligence indicating that North Korea indeed favors social engineering to breach crypto exchanges. Thus, we speculated that they likely compromised one of Bybit’s multisig signers and then deployed malware to interfere with the signing process.
It turned out this guess was completely off base. Days later, we discovered that North Korea had actually compromised the Safe Wallet infrastructure itself and deployed a malicious override specifically tailored to target Bybit. This level of sophistication was unprecedented—something no one had considered or prepared for—and poses a significant challenge to many existing security models.
North Korean hackers represent an escalating threat to our industry, and we cannot defeat an enemy we don’t understand. While there are numerous documented incidents and articles about various aspects of North Korean cyber operations, piecing them together remains difficult. My hope with this overview is to provide a more comprehensive understanding of how North Korea operates—their strategies and procedures—so we can better implement appropriate mitigation measures.
Organizational Structure
Perhaps the biggest misconception to address is how North Korea's vast cyber activities are categorized and named. While using "Lazarus Group" colloquially as an umbrella term is acceptable, a more precise framework helps when discussing North Korea’s systematic cyber threats in detail.
First, it helps to understand North Korea’s “org chart.” At the top is the Workers’ Party of Korea (WPK), the ruling (and only) political party, under which all government institutions operate. These include the Korean People’s Army (KPA) and the Central Committee. Within the KPA is the General Staff Department (GSD), which houses the Reconnaissance General Bureau (RGB). Under the Central Committee lies the Military-Industrial Department (MID).
The RGB oversees nearly all of North Korea’s cyber warfare, including virtually every North Korean activity observed in the cryptocurrency sector. In addition to the infamous Lazarus Group, other threat actors emerging from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID manages North Korea’s nuclear missile program and serves as the primary source of North Korean IT workers, whom the intelligence community refers to as Contagious Interview and Wagemole.
Lazarus Group
The Lazarus Group is a highly sophisticated hacking organization believed by cybersecurity experts to be behind some of the largest and most destructive cyberattacks in history. Novetta first identified the Lazarus Group in 2016 while analyzing the hack of Sony Pictures Entertainment (Sony).
In 2014, Sony was producing the action-comedy film *The Interview*, whose central plot involved the humiliation and assassination of Kim Jong-un. Understandably, this did not sit well with the North Korean regime, which retaliated by infiltrating Sony’s network, stealing multiple terabytes of data, leaking hundreds of gigabytes of confidential or sensitive information, and wiping original files. As then-CEO Michael Lynton put it, “The people who did this didn’t just steal everything in the house—they burned the house down.” Ultimately, Sony spent at least $15 million on investigation and remediation efforts related to the attack, with potential losses being much higher.
Then in 2016, hackers closely linked to the Lazarus Group breached the Bangladesh Bank in an attempt to steal nearly $1 billion. Over the course of a year, the attackers conducted extensive social engineering against bank employees, eventually gaining remote access and moving laterally within the internal network until reaching computers responsible for interacting with the SWIFT system. From there, they waited for the perfect window: the Bangladesh Bank observes Thursday as its weekend, while the New York Federal Reserve observes Friday. Late Thursday night local time in Bangladesh, the threat actors used their access to the SWIFT network to send 36 separate wire transfer requests to the New York Fed, who received them early Thursday morning in New York. Over the next 24 hours, the New York Fed forwarded these transfers to Rizal Commercial Banking Corporation (RCBC) in the Philippines, which began processing them. When the Bangladesh Bank reopened for business, they discovered the breach and attempted to alert RCBC to halt ongoing transactions—only to find that RCBC was closed due to Lunar New Year holidays.
Later, in 2017, the massive WannaCry 2.0 ransomware attack crippled industries worldwide, with partial responsibility attributed to the Lazarus Group. Estimated to have caused billions of dollars in damages, WannaCry exploited an NSA-developed Microsoft Windows zero-day vulnerability, encrypting local devices and spreading automatically to other accessible systems, ultimately infecting hundreds of thousands of machines globally. Fortunately, thanks to security researcher Marcus Hutchins discovering and activating a kill switch within eight hours, the overall damage was contained.
Throughout the evolution of the Lazarus Group, they have demonstrated exceptional technical capability and operational execution, with one of their core objectives being revenue generation for the North Korean regime. It was only a matter of time before they turned their attention to the cryptocurrency industry.
Derivatives
Over time, as “Lazarus Group” became the media’s go-to label for North Korean cyber activity, the cybersecurity industry developed more precise names for distinct subsets of Lazarus and North Korean operations. APT38 is one such example—a subgroup that split from the Lazarus Group around 2016, focusing exclusively on financial crimes, first targeting banks (like the Bangladesh Bank), then shifting to cryptocurrency. Later in 2018, a new threat dubbed AppleJeus emerged, distributing malware aimed at cryptocurrency users. Finally, as early as 2018, when OFAC first sanctioned two North Korean shell companies, evidence showed North Koreans posing as IT professionals had already begun infiltrating the tech industry.
North Korean IT Workers
Although the earliest documented references to North Korean IT workers date back to the 2018 OFAC sanctions, Unit 42’s 2023 report provided greater detail and identified two distinct threat actors: Contagious Interview and Wagemole.
Contagious Interview impersonates recruiters from well-known companies, luring developers into fake interview processes. Candidates are then instructed to clone a repository for local debugging—ostensibly as a coding test—but the repository contains a backdoor. Once executed, the backdoor grants attackers control over the victim’s machine. This campaign remains active, with the most recent incident recorded on August 11, 2024.
In contrast, Wagemole agents aim not to recruit victims, but to get hired themselves, working inside organizations as seemingly ordinary engineers—though potentially with lower productivity. That said, there are documented cases where these IT workers abused their access for attacks. For example, in the Munchables incident, an employee linked to North Korean operations exploited privileged access to smart contracts to drain all assets.
The sophistication of Wagemole operatives varies widely—from generic resume templates and reluctance to participate in video calls, to highly customized resumes, deepfake video interviews, and forged identity documents such as driver’s licenses and utility bills. In some instances, agents have remained embedded within victim organizations for up to a year before leveraging their access to compromise systems or fully cash out.
AppleJeus
AppleJeus primarily focuses on spreading malware through complex supply chain attacks. In 2023, the 3CX supply chain attack potentially exposed over 12 million users of the 3CX VoIP software, though it was later revealed that 3CX itself had been compromised via a supply chain attack on its upstream vendor, Trading Technologies.
Within the cryptocurrency space, AppleJeus initially distributed malware disguised as legitimate software—such as trading platforms or cryptocurrency wallets. However, their tactics have evolved over time. In October 2024, Radiant Capital was breached after a threat actor impersonating a trusted contractor delivered malware via Telegram; Mandiant attributed the attack to AppleJeus.
DangerousPassword
DangerousPassword conducts low-complexity, socially engineered attacks against the cryptocurrency industry. As early as 2019, JPCERT/CC documented DangerousPassword sending phishing emails with enticing attachments for users to download. In prior years, DangerousPassword was responsible for impersonating prominent industry figures and sending phishing emails with subject lines like “Stablecoins and crypto assets pose huge risks.”
Today, DangerousPassword continues sending phishing emails but has expanded to other platforms. For instance, Radiant Capital reported receiving a phishing message via Telegram from someone impersonating a security researcher, distributing a file named “Penpie_Hacking_Analysis_Report.zip.” Additionally, users have reported being contacted by individuals posing as journalists or investors who request meetings via obscure video conferencing apps. Similar to Zoom, these apps prompt a one-time installer download, but upon execution, silently install malware onto the device.
TraderTraitor
TraderTraitor represents the most sophisticated North Korean hacker targeting the cryptocurrency industry, responsible for breaches at Axie Infinity and Rain.com. TraderTraitor targets almost exclusively large-reserve exchanges and other high-value entities, avoiding zero-day exploits in favor of highly advanced spear-phishing techniques. In the Axie Infinity hack, TraderTraitor contacted a senior engineer via LinkedIn, successfully convincing them to go through a series of interviews before delivering malware via a document labeled as a “proposal.”
Later, in the WazirX hack, a TraderTraitor operative compromised an unidentified component in the signing pipeline and then repeatedly deposited and withdrew funds to deplete the exchange’s hot wallet, prompting WazirX engineers to rebalance from cold to hot wallets. When engineers attempted to sign transactions to move funds, they were tricked into signing a transaction that transferred control of the cold wallet to TraderTraitor.
This bears a striking resemblance to the February 2025 attack on Bybit, where TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering, then deployed malicious JavaScript to the Safe Wallet frontend specifically targeting Bybit’s cold wallet. When Bybit initiated a wallet rebalancing operation, the malicious code activated, causing Bybit engineers to unknowingly sign a transaction transferring cold wallet control to TraderTraitor.
Staying Secure
North Korea has demonstrated the ability to deploy zero-day exploits against adversaries, but there are currently no known records or incidents of North Korea deploying zero-days against the cryptocurrency industry. Therefore, standard security best practices apply to mitigate virtually all North Korean hacking threats.
For individuals, use common sense and remain vigilant against social engineering. For example, if someone claims to possess highly classified information and offers to share it with you, proceed with caution. Or, if someone pressures you to quickly download and run software, consider whether they’re trying to place you in a state where rational thinking becomes difficult.
For organizations, apply the principle of least privilege wherever possible. Minimize the number of individuals with access to sensitive systems and ensure they use password managers and two-factor authentication (2FA). Keep personal and work devices strictly separate, and install mobile device management (MDM) and endpoint detection and response (EDR) software on work devices to ensure both pre-breach protection and post-breach visibility.
Unfortunately, for large exchanges or other high-value targets, TraderTraitor can cause catastrophic damage even without zero-day exploits. Therefore, additional precautions are essential—ensure there are no single points of failure so that a single breach does not result in total fund loss.
Yet, even if everything fails, hope remains. The FBI has a dedicated unit focused on tracking and preventing North Korean intrusions, and for years they’ve conducted victim notifications. Recently, I was pleased to assist agents from this unit in connecting with potential North Korean targets. So, to prepare for the worst, ensure you have public contact information or maintain strong connections with enough people across the ecosystem (e.g., SEAL 911) so that messages traversing the social graph can reach you as quickly as possible.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Paradigm
