{"id":38074,"date":"2025-02-25T13:00:00","date_gmt":"2025-02-25T11:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=38074"},"modified":"2025-12-05T06:31:06","modified_gmt":"2025-12-05T03:31:06","slug":"lazarus-group-what-we-know-about-the-outfit-suspected-of-the-bybit-hack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/lazarus-group-what-we-know-about-the-outfit-suspected-of-the-bybit-hack\/","title":{"rendered":"What Is Known About Lazarus Group, Suspected of Hacking Bybit?"},"content":{"rendered":"
\n

What is Lazarus Group and when did it emerge?<\/strong><\/h2>\n

Lazarus Group is the most common media label for a cohort of hackers whose leadership is likely directed from North Korea. The name is unofficial; other designations appear<\/a> in various documents.<\/p>\n

America\u2019s Cybersecurity and Infrastructure Security Agency refers to the collective as Hidden Cobra<\/a>; Microsoft uses ZINC and Diamond Sleet<\/a>. The hackers themselves favour \u201cheroic\u201d monikers such as Guardians of Peace<\/a>.<\/p>\n

Little is known about Lazarus Group; its size and composition are unclear. US law enforcement identifies North Korean citizen Park Jin Hyok as its leader. FBI personnel found<\/a> he spent at least eight years in China, where he worked as a software developer. Intercepted emails indicate that in 2011 Park informed the North Korean authorities of his wish to return home for personal reasons.<\/p>\n

\n

\u201cPark Jin Hyok is a state-sponsored North Korean programmer and an alleged participant in a criminal conspiracy responsible for some of the most costly computer intrusions in history. His attacks damaged computer systems and resulted in the theft of funds and virtual currencies from numerous victims. Park is alleged to have participated in a wide-ranging criminal conspiracy carried out by a group of hackers associated with the Reconnaissance General Bureau of the DPRK. The group included North Korean hacking organizations that some private cybersecurity companies refer to as the Lazarus Group and Advanced Persistent Threat 38 (APT38),\u201d reads Park\u2019s profile<\/a> on the FBI website.<\/p>\n<\/blockquote>\n

\"What
Wanted notice for Park Jin Hyok. Source: FBI.<\/figcaption><\/figure>\n

South Korean media report that the state programme encompassing Lazarus Group began no later than June 2009. That was when the first major attacks were recorded<\/a> and attributed to North Korea. Targets included government resources, among them the official website of the Blue House<\/span>.<\/p>\n

For a long time South Korea\u2019s information infrastructure was the group\u2019s principal target. Over the years, however, its activity began to spill beyond the regional conflict between Pyongyang and Seoul that has simmered since 1950.<\/p>\n<\/div>\n

\n

Which major attacks are attributed to the group?<\/strong><\/h2>\n

The operation that made Lazarus Group globally notorious was the November 2014 attack on the computer systems of Sony Pictures Entertainment. The intruders temporarily paralysed the studio. Employees could not use their work computers, which displayed a \u201cscreen of death\u201d with a skull and a \u201cwarning\u201d from the Guardians of Peace.<\/p>\n

For several days the company was unable to process financial transactions, halting film production. The attackers posted the personal data of 7,000 Sony Pictures employees in the open, including salary information, private correspondence and social-media passwords. Copies of five Sony films also appeared online, two of which had yet to be released.<\/p>\n

\"What
A threatening message sent to Sony Pictures staff. Source: Business Insider<\/a>.<\/figcaption><\/figure>\n

Western media believe<\/a> the attack was political, linking it to the satirical film by Seth Rogen, The Interview<\/a>, in which North Korean leader Kim Jong Un is lampooned as the chief villain.<\/p>\n

In February 2016 the central bank of Bangladesh was hit<\/a>. Exploiting weaknesses in SWIFT, Lazarus Group attempted to transfer about $1bn from a state account held at the Federal Reserve Bank of New York. Before security staff stopped the suspicious activity, the thieves managed to spirit away $81m.<\/p>\n

Soon the group showed greater ingenuity and technical prowess. In May 2017 it struck hundreds of thousands of computers worldwide with the WannaCry ransomware. The malware infected Windows devices and demanded a $300 ransom in bitcoin.<\/p>\n

The damage went beyond individuals: in parts of Europe medical services were disrupted, and production halted at Renault in France and Nissan in Japan. The hackers managed to craft such a dangerous virus after stealing<\/a> tools from the NSA<\/span>.<\/p>\n<\/div>\n

\n

How much damage has Lazarus Group inflicted on crypto?<\/strong><\/h2>\n

As digital assets spread, North Korean hackers turned to this corner of finance. In 2017\u20132018 alone they breached 14 exchanges and swap services, netting a combined $882m. Over time Lazarus Group also learned to target individual users, not just entire platforms.<\/p>\n

In spring 2022 the hackers compromised the Ronin sidechain, stealing around $620m in cryptoassets from players of Axie Infinity. That summer Lazarus Group attacked Harmony\u2019s Horizon bridge and the Atomic Wallet. Combined losses from the two incidents are estimated at $135m.<\/p>\n

Analysts at Recorded Future calculated that in 2023 alone North Korean cybercriminals stole $1.7bn in digital assets\u2014and the figures continue to rise steadily.<\/p>\n

On 21 February 2025 came the largest crypto heist to date, targeting the Bybit exchange. The hackers gained access to one of the platform\u2019s cold wallets and withdrew roughly $1.4bn worth of Ethereum. Soon on-chain analyst ZachXBT \u201cprovided irrefutable evidence<\/a>\u201d of Lazarus Group\u2019s involvement.<\/p>\n

Reputational damage is another serious problem actions like these inflict on the industry.<\/p>\n

The US authorities have cited Lazarus Group\u2019s activity as grounds for sanctioning the mixers Tornado Cash<\/a>, Blende and Sinbad, which the hackers allegedly used to launder stolen funds. Such restrictions, however, do not stop criminals from quickly find<\/a>ing alternative cash-out routes.<\/p>\n

The Bybit case also undermines trust in centralised exchanges. Whoever the attackers are, they have shown they can successfully hit not only local swap shops and small projects but also top-tier platforms<\/a> with \u201cgreen\u201d security scores.<\/p>\n<\/div>\n

\n

Is Lazarus Group really linked to North Korea\u2019s leadership?<\/strong><\/h2>\n

There is little doubt. Given the regime\u2019s highly repressive nature, it is hard to imagine operations of this sophistication occurring without state involvement.<\/p>\n

Internet access in North Korea is restricted; only privileged citizens\u2014the Kim family and their entourage, and leaders and staff of strategically important enterprises\u2014can use it freely. Others must make do with the isolated \u201cKwangmyong\u201d network, which hosts only censored content.<\/p>\n

Intelligence services believe the main hub of North Korean cybercrime is \u201cLaboratory 110\u201d, a military institute directly subordinated to the State Affairs Commission led by Kim Jong Un. Yet the country clearly lacks the domestic capacity to run the programme alone. As the Russian Korea expert Andrei Lankov claims<\/a>, North Korea\u2019s \u201cstrike\u201d hacker teams are based outside the country:<\/p>\n

\n

\u201cThey have several rather good training centres. Technically, they are at a good level. By the way, these centres are not physically in Korea. For a very long time one of the largest centres was located in a hotel in [the Chinese] city of Shenyang, where they [the hackers] lived, leaving the hotel only under the supervision of a political officer. [\u2026] I assume such bases still exist in various countries around the world\u2014mainly in East and Southeast Asia.\u201d<\/p>\n<\/blockquote>\n

FBI reports, which point to Lazarus Group members operating at least in China, and numerous statements by South Korean law enforcement support this version.<\/p>\n<\/div>\n

\n

Do the stolen funds finance the nuclear programme?<\/strong><\/h2>\n

This is quite possible, though there is no direct proof.<\/p>\n

North Korea is the only state that categorically refuses to co-operate with the IAEA<\/span>. In 2008 Pyongyang officially notified<\/a> the agency that it \u201cno longer requires the services of the Agency for monitoring\u201d at its nuclear facilities. It is therefore impossible not only to establish funding sources for the sector, but even to determine with confidence the current state of Pyongyang\u2019s nuclear programme.<\/p>\n

Even so, reports regularly appear in the press alleging that North Korean cybercriminals are focused on raising funds for weapons of mass destruction.<\/p>\n

In February 2024 Reuters published<\/a> excerpts from a confidential report by the UN Sanctions Committee.<\/p>\n

The document alleges that North Korean hackers are suspected in at least 58 attacks that, at the time of publication, had netted about $3bn. Similar figures appear in Microsoft\u2019s 2024 cybersecurity report<\/a>.<\/p>\n

For comparison, according to estimates<\/a> by ICAN<\/span>, Pyongyang spent $667m on its nuclear programme in 2020. In any case, laundering and then converting stolen assets into fiat takes considerable time and resources, while the principle of songun<\/a>, fundamental to North Korea\u2019s domestic policy, eschews reliance on additional (and highly risky) fundraising for the military.<\/p>\n

Arguably more worrying than how Lazarus Group spends stolen funds is the non-financial side of its activity. As Bitdefender Labs<\/a> notes, members of the organisation deliberately target employees in the nuclear, aviation and other sensitive sectors to obtain secret information and access to corporate accounts.<\/p>\n

It appears these operations spare not even North Korea\u2019s nominal allies. According to Reuters<\/a>, at the end of 2021 Lazarus Group breached the computer networks of \u201cNPO Mashinostroyeniya\u201d in Reutov, near Moscow.<\/p>\n

The unauthorised access was discovered and shut down by the enterprise only in May 2022. The agency\u2019s reporters believe the hackers were gathering data needed to build an intercontinental ballistic missile.<\/p>\n<\/div>\n

\n

Is Lazarus Group one of a kind?<\/strong><\/h2>\n

Even Lazarus Group itself is unlikely to be a single structure. It appears to comprise numerous units with different goals and attack types. Parallel outfits in North Korea include Kimsuky and Ricochet Chollima, focused on industrial espionage and disrupting South Korea\u2019s power grids.<\/p>\n

In common taxonomy, groups like Lazarus are classified as APT<\/span>. Analogous entities operate in many states with non-democratic regimes: China (Red Apollo<\/a>, Double Dragon<\/a>, Numbered Panda<\/a> and many others), Iran (Charming Kitten<\/a>, Helix Kitten<\/a>, Elfin Team<\/a>), Russia (Cozy Bear, Fancy Bear, Primitive Bear and others), Saudi Arabia (OurMine<\/a>).<\/p>\n

Yet North Korea\u2019s stark image as the \u201clast totalitarian regime\u201d and Pyongyang\u2019s refusal to engage in diplomacy or international co-operation make Lazarus Group a symbol of \u201cabsolute evil\u201d. This perception gives rise not only to well-founded accusations of state-sponsored cybercrime, but also to various manipulations\u2014including those aimed at discrediting the crypto industry.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The damage North Korean hackers have inflicted on the crypto industry over the years.<\/p>\n","protected":false},"author":1,"featured_media":38075,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"1","_short_excerpt_text":"","creation_source":"ai_translated","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[2113],"tags":[2136],"class_list":["post-38074","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptorium","tag-101-people"],"aioseo_notices":[],"amp_enabled":true,"views":"160","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"0","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=38074"}],"version-history":[{"count":2,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38074\/revisions"}],"predecessor-version":[{"id":91852,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38074\/revisions\/91852"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/38075"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=38074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=38074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=38074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}