The Lazarus Group, a notorious cybercrime syndicate, has emerged as one of the most prolific and sophisticated hacking entities globally, with a particular focus on financial institutions and cryptocurrency platforms. Recently, the group has been implicated in a massive $1.4 billion Ethereum heist targeting ByBit, the world’s second-largest crypto exchange, on February 21, 2025. This report examines what is known about the Lazarus Group, its key actors, recent hacks attributed to the group, its relationship with the North Korean state, and the latest updates circulating on X as of February 24, 2025.
What is Known About the Lazarus Group?
The Lazarus Group is a state-sponsored hacking collective believed to have originated around 2007–2009. It operates under various aliases, including Hidden Cobra, APT38 (Advanced Persistent Threat 38), ZINC, and Diamond Sleet, as designated by cybersecurity organizations and governments. The group is renowned for its advanced techniques, evolving from rudimentary distributed denial-of-service (DDoS) attacks to highly sophisticated operations involving ransomware, spear-phishing, and cryptocurrency theft. Its targets span critical infrastructure, financial institutions, entertainment companies, and, increasingly, the cryptocurrency sector—a lucrative and often less-regulated domain.
The group’s operations are characterized by meticulous planning, exploitation of software vulnerabilities, and social engineering tactics. Over the years, Lazarus has demonstrated adaptability, leveraging both homegrown malware and stolen credentials to execute high-profile attacks. Its activities are widely believed to generate revenue to support North Korea’s heavily sanctioned economy, particularly its nuclear weapons and military programs.
Who is Known to be Involved with Lazarus?
While the identities of individual Lazarus members remain largely anonymous due to the group’s secretive nature, several key figures have been named in U.S. indictments:
- Park Jin Hyok: Charged by the U.S. Department of Justice in 2018, Park is alleged to have been a programmer for Chosun Expo Joint Venture (also known as Korea Expo Joint Venture), a front company tied to North Korea’s Reconnaissance General Bureau (RGB). He is linked to the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and the 2016 Bangladesh Bank heist.
- Jon Chang Hyok and Kim Il: Indicted in 2021 alongside Park, these individuals are also tied to RGB units and accused of participating in a conspiracy that stole over $1.3 billion in money and cryptocurrency. They reportedly operated from North Korea, China, and Russia.
The RGB, North Korea’s primary military intelligence agency, is widely regarded as the controlling entity behind Lazarus. According to North Korean defector Kim Kuk-song, the group is internally known as the 414 Liaison Office. Estimates suggest North Korea employs around 6,000–7,000 cyber agents, with Lazarus being a cornerstone of this operation, though it’s unclear if it functions as a singular entity or an umbrella for multiple hacking teams.
Hacks Attributed to Lazarus in Recent Years
Lazarus has been linked to numerous high-profile cyberattacks, with a marked shift toward cryptocurrency theft since 2017. Notable incidents include:
- 2017 Youbit Hack: Lazarus stole approximately $70 million in Bitcoin from the South Korean exchange Youbit, forcing it into bankruptcy after two successive attacks.
- 2018 Coincheck Hack: The group siphoned $530 million from this Japanese cryptocurrency exchange, one of the largest crypto heists at the time.
- 2022 Harmony Horizon Bridge Hack: Lazarus stole $100 million, exploiting vulnerabilities in the bridge protocol.
- 2022 Ronin Bridge Hack: A $600 million theft from Sky Mavis’ Ronin Bridge, attributed to Lazarus by the FBI, remains one of the largest crypto heists in history.
- 2023 Crypto Losses: Blockchain security firm Immunefi reported Lazarus stole over $300 million in 2023, accounting for nearly 20% of total crypto losses that year.
- 2023 Stake.com: The FBI informed that the theft of approximately $41 million in virtual currency from Stake.com, an online casino and betting platform, was attributed to Lazarus.
- 2025 ByBit Hack: On February 21, 2025, Lazarus allegedly stole $1.4 billion in Ethereum from ByBit’s cold wallet, confirmed by blockchain investigators ZachXBT and Arkham Intelligence. This attack, the largest crypto heist to date based on asset prices at the time, involved a sophisticated breach masked within a multi-signature transaction.
Chainalysis estimates that Lazarus has stolen over $3 billion in cryptocurrency since 2018, with $1.7 billion taken in 2022 alone, highlighting its escalating focus on the crypto sector.
Relationship Between Lazarus and the North Korean State
The Lazarus Group is intricately tied to the North Korean government, specifically the RGB, which oversees the country’s intelligence and cyber operations. U.S. intelligence agencies, the FBI, and international partners like the UK’s National Cyber Security Centre assert that Lazarus operates under direct state sponsorship. This relationship is driven by North Korea’s need to circumvent crippling international sanctions imposed due to its nuclear and missile programs. Cybercrime, particularly cryptocurrency theft, has become a critical revenue stream, funneling funds into military and state projects.
Evidence of state involvement includes the group’s targeting of strategic adversaries (e.g., South Korea, the U.S.), the use of North Korean infrastructure in attacks, and the alignment of its activities with Pyongyang’s financial needs. The U.S. Treasury Department has sanctioned entities like Chosun Expo and sub-groups (e.g., Bluenoroff, Andariel) for their ties to the RGB, reinforcing the state-backed nature of Lazarus.
Is Lazarus Systematically Used by North Korea?
Yes, Lazarus appears to be systematically deployed by North Korea as a tool for both financial gain and geopolitical disruption. Its operations serve a dual purpose: generating revenue and exerting asymmetric power against larger adversaries. The group’s focus on cryptocurrency aligns with the unregulated and pseudonymous nature of the sector, making it an ideal target for laundering funds into usable currency via mixers, exchanges, and illicit networks.
South Korea’s Defense Ministry estimates that North Korean hackers, including Lazarus, generate $200,000–$300,000 per member monthly, totaling billions annually. This systematic use is further evidenced by the training of elite hackers at institutions like Kim Il-sung University and foreign programs in China, such as at Shenyang and Harbin Institute of Technology.
Latest Updates from Lazarus on X (as of February 24, 2025)
Recent posts on X reflect ongoing discussions about Lazarus’ involvement in the ByBit hack and broader activities:
- Posts from February 22–23, 2025, cite a U.S. Department of Justice indictment of three North Korean Lazarus members (Jon Chang Hyok, Kim Il, and Park Jin Hyok) for the ByBit attack, linking it to their prior cybercrimes. Users note the timing—North Korea reportedly announced an equivalent Ethereum reserve within 24 hours of the hack, fueling speculation of state coordination.
- Blockchain investigator ZachXBT’s findings, shared via Arkham Intelligence on February 21, 2025, connect the ByBit hack to earlier 2025 hacks at Phemex and BingX, identifying overlapping wallet addresses and suggesting a coordinated Lazarus campaign.
- Sentiment on X highlights Lazarus’ reputation, with users marveling at its ability to steal billions while calling for stronger crypto security measures.
These updates, while not conclusive, underscore the group’s active and evolving threat profile as of February 24, 2025.
Conclusion and Financial Implications
The Lazarus Group’s involvement in the ByBit hack underscores its status as a leading cyber threat, particularly to the cryptocurrency market. Its state-backed operations, sophisticated tactics, and systematic deployment by North Korea pose significant risks to financial stability in the digital asset space. For investors and exchanges, this necessitates enhanced security protocols, including robust multi-signature safeguards and real-time blockchain monitoring. The group’s ability to net over $3 billion in crypto since 2018 signals a persistent challenge—one that regulators and financial institutions must address to curb North Korea’s illicit revenue streams and protect global markets.
As a financial analyst, I recommend close monitoring of Lazarus-related developments, particularly on platforms like X, where real-time insights from investigators and the crypto community can inform risk mitigation strategies. The interplay between state-sponsored cybercrime and cryptocurrency will likely remain a defining issue in 2025 and beyond.
