What is Lazarus Group and when did it emerge?
Lazarus Group is the most common media label for a cohort of hackers whose leadership is likely directed from North Korea. The name is unofficial; other designations appear in various documents.
America’s Cybersecurity and Infrastructure Security Agency refers to the collective as Hidden Cobra; Microsoft uses ZINC and Diamond Sleet. The hackers themselves favour “heroic” monikers such as Guardians of Peace.
Little is known about Lazarus Group; its size and composition are unclear. US law enforcement identifies North Korean citizen Park Jin Hyok as its leader. FBI personnel found he spent at least eight years in China, where he worked as a software developer. Intercepted emails indicate that in 2011 Park informed the North Korean authorities of his wish to return home for personal reasons.
“Park Jin Hyok is a state-sponsored North Korean programmer and an alleged participant in a criminal conspiracy responsible for some of the most costly computer intrusions in history. His attacks damaged computer systems and resulted in the theft of funds and virtual currencies from numerous victims. Park is alleged to have participated in a wide-ranging criminal conspiracy carried out by a group of hackers associated with the Reconnaissance General Bureau of the DPRK. The group included North Korean hacking organizations that some private cybersecurity companies refer to as the Lazarus Group and Advanced Persistent Threat 38 (APT38),” reads Park’s profile on the FBI website.
South Korean media report that the state programme encompassing Lazarus Group began no later than June 2009. That was when the first major attacks were recorded and attributed to North Korea. Targets included government resources, among them the official website of the Blue House.
For a long time South Korea’s information infrastructure was the group’s principal target. Over the years, however, its activity began to spill beyond the regional conflict between Pyongyang and Seoul that has simmered since 1950.
Which major attacks are attributed to the group?
The operation that made Lazarus Group globally notorious was the November 2014 attack on the computer systems of Sony Pictures Entertainment. The intruders temporarily paralysed the studio. Employees could not use their work computers, which displayed a “screen of death” with a skull and a “warning” from the Guardians of Peace.
For several days the company was unable to process financial transactions, halting film production. The attackers posted the personal data of 7,000 Sony Pictures employees in the open, including salary information, private correspondence and social-media passwords. Copies of five Sony films also appeared online, two of which had yet to be released.
Western media believe the attack was political, linking it to the satirical film by Seth Rogen, The Interview, in which North Korean leader Kim Jong Un is lampooned as the chief villain.
In February 2016 the central bank of Bangladesh was hit. Exploiting weaknesses in SWIFT, Lazarus Group attempted to transfer about $1bn from a state account held at the Federal Reserve Bank of New York. Before security staff stopped the suspicious activity, the thieves managed to spirit away $81m.
Soon the group showed greater ingenuity and technical prowess. In May 2017 it struck hundreds of thousands of computers worldwide with the WannaCry ransomware. The malware infected Windows devices and demanded a $300 ransom in bitcoin.
The damage went beyond individuals: in parts of Europe medical services were disrupted, and production halted at Renault in France and Nissan in Japan. The hackers managed to craft such a dangerous virus after stealing tools from the NSA.
How much damage has Lazarus Group inflicted on crypto?
As digital assets spread, North Korean hackers turned to this corner of finance. In 2017–2018 alone they breached 14 exchanges and swap services, netting a combined $882m. Over time Lazarus Group also learned to target individual users, not just entire platforms.
In spring 2022 the hackers compromised the Ronin sidechain, stealing around $620m in cryptoassets from players of Axie Infinity. That summer Lazarus Group attacked Harmony’s Horizon bridge and the Atomic Wallet. Combined losses from the two incidents are estimated at $135m.
Analysts at Recorded Future calculated that in 2023 alone North Korean cybercriminals stole $1.7bn in digital assets—and the figures continue to rise steadily.
On 21 February 2025 came the largest crypto heist to date, targeting the Bybit exchange. The hackers gained access to one of the platform’s cold wallets and withdrew roughly $1.4bn worth of Ethereum. Soon on-chain analyst ZachXBT “provided irrefutable evidence” of Lazarus Group’s involvement.
Reputational damage is another serious problem actions like these inflict on the industry.
The US authorities have cited Lazarus Group’s activity as grounds for sanctioning the mixers Tornado Cash, Blende and Sinbad, which the hackers allegedly used to launder stolen funds. Such restrictions, however, do not stop criminals from quickly finding alternative cash-out routes.
The Bybit case also undermines trust in centralised exchanges. Whoever the attackers are, they have shown they can successfully hit not only local swap shops and small projects but also top-tier platforms with “green” security scores.
Is Lazarus Group really linked to North Korea’s leadership?
There is little doubt. Given the regime’s highly repressive nature, it is hard to imagine operations of this sophistication occurring without state involvement.
Internet access in North Korea is restricted; only privileged citizens—the Kim family and their entourage, and leaders and staff of strategically important enterprises—can use it freely. Others must make do with the isolated “Kwangmyong” network, which hosts only censored content.
Intelligence services believe the main hub of North Korean cybercrime is “Laboratory 110”, a military institute directly subordinated to the State Affairs Commission led by Kim Jong Un. Yet the country clearly lacks the domestic capacity to run the programme alone. As the Russian Korea expert Andrei Lankov claims, North Korea’s “strike” hacker teams are based outside the country:
“They have several rather good training centres. Technically, they are at a good level. By the way, these centres are not physically in Korea. For a very long time one of the largest centres was located in a hotel in [the Chinese] city of Shenyang, where they [the hackers] lived, leaving the hotel only under the supervision of a political officer. […] I assume such bases still exist in various countries around the world—mainly in East and Southeast Asia.”
FBI reports, which point to Lazarus Group members operating at least in China, and numerous statements by South Korean law enforcement support this version.
Do the stolen funds finance the nuclear programme?
This is quite possible, though there is no direct proof.
North Korea is the only state that categorically refuses to co-operate with the IAEA. In 2008 Pyongyang officially notified the agency that it “no longer requires the services of the Agency for monitoring” at its nuclear facilities. It is therefore impossible not only to establish funding sources for the sector, but even to determine with confidence the current state of Pyongyang’s nuclear programme.
Even so, reports regularly appear in the press alleging that North Korean cybercriminals are focused on raising funds for weapons of mass destruction.
In February 2024 Reuters published excerpts from a confidential report by the UN Sanctions Committee.
The document alleges that North Korean hackers are suspected in at least 58 attacks that, at the time of publication, had netted about $3bn. Similar figures appear in Microsoft’s 2024 cybersecurity report.
For comparison, according to estimates by ICAN, Pyongyang spent $667m on its nuclear programme in 2020. In any case, laundering and then converting stolen assets into fiat takes considerable time and resources, while the principle of songun, fundamental to North Korea’s domestic policy, eschews reliance on additional (and highly risky) fundraising for the military.
Arguably more worrying than how Lazarus Group spends stolen funds is the non-financial side of its activity. As Bitdefender Labs notes, members of the organisation deliberately target employees in the nuclear, aviation and other sensitive sectors to obtain secret information and access to corporate accounts.
It appears these operations spare not even North Korea’s nominal allies. According to Reuters, at the end of 2021 Lazarus Group breached the computer networks of “NPO Mashinostroyeniya” in Reutov, near Moscow.
The unauthorised access was discovered and shut down by the enterprise only in May 2022. The agency’s reporters believe the hackers were gathering data needed to build an intercontinental ballistic missile.
Is Lazarus Group one of a kind?
Even Lazarus Group itself is unlikely to be a single structure. It appears to comprise numerous units with different goals and attack types. Parallel outfits in North Korea include Kimsuky and Ricochet Chollima, focused on industrial espionage and disrupting South Korea’s power grids.
In common taxonomy, groups like Lazarus are classified as APT. Analogous entities operate in many states with non-democratic regimes: China (Red Apollo, Double Dragon, Numbered Panda and many others), Iran (Charming Kitten, Helix Kitten, Elfin Team), Russia (Cozy Bear, Fancy Bear, Primitive Bear and others), Saudi Arabia (OurMine).
Yet North Korea’s stark image as the “last totalitarian regime” and Pyongyang’s refusal to engage in diplomacy or international co-operation make Lazarus Group a symbol of “absolute evil”. This perception gives rise not only to well-founded accusations of state-sponsored cybercrime, but also to various manipulations—including those aimed at discrediting the crypto industry.