Forward the Original Title ‘Paradigm: Unveiling the Threat of the North Korean Hacker Group Lazarus Group’

A discussion on Lazarus Group—the culprit behind the Bybit hack—from the perspective of organizational structure, attack methods, and defense strategies.

One February morning, the lights came on in the SEAL 911 group chat. We stared in confusion as Bybit moved over $1 billion worth of tokens from their cold wallet to a brand-new address and then quickly began liquidating more than $200 million in LST. Within minutes, through communication with the Bybit team and independent analysis (involving multisig and a previously verified Safe Wallet implementation, now replaced with a newly deployed and unverified contract), we confirmed that this was not routine maintenance. Someone had just launched one of the largest hacks in crypto history—and we were sitting in the front row.

While part of the team (along with the broader investigative community) began tracking the funds and notifying partner exchanges, others tried to figure out what exactly had happened—and whether additional funds were at risk. Fortunately, identifying the perpetrator was easy. Over the past few years, only one known threat actor has successfully stolen billions from crypto exchanges: North Korea, also known as the DPRK.

However, beyond that, we had little to go on. Due to the cunning nature and exceptional obfuscation skills of North Korean hackers, determining the root cause of the breach—let alone which specific team inside North Korea was responsible—was extremely difficult. All we had was existing intelligence suggesting that DPRK operators often rely on social engineering tactics to infiltrate crypto exchanges. Based on that, we assumed they had compromised Bybit’s multisig signers and deployed malware to interfere with the signing process.

As it turned out, that assumption was completely off. A few days later, we discovered that North Korea had actually compromised the infrastructure of Safe Wallet itself and deployed a customized malicious overload specifically targeting Bybit. The complexity of this attack was beyond anything anyone had anticipated or prepared for—posing a serious challenge to many existing security models in the market.

North Korean hackers present a growing threat to our industry. We cannot defeat an enemy we do not understand. Although there are many documented incidents and articles about North Korean cyber operations, it’s hard to piece them all together. I hope this overview can help provide a clearer picture of how North Korea operates, their strategies and procedures, and ultimately help us implement the right mitigation measures.

Organizational Structure

One of the biggest misconceptions that needs to be addressed is how to classify and name North Korea’s extensive cyber activities. While it’s acceptable to use the term “Lazarus Group” colloquially as a catch-all label, a more precise terminology is helpful when discussing the systemic cyber threat posed by North Korea in detail.

First, it helps to understand North Korea’s “organizational chart.” At the top is the ruling—and only—political party, the Workers’ Party of Korea (WPK), which oversees all state institutions. This includes the Korean People’s Army (KPA) and the Central Committee. Within the KPA exists the General Staff Department (GSD), where the Reconnaissance General Bureau (RGB) is housed. Under the Central Committee is the Munitions Industry Department (MID).

The RGB is responsible for nearly all of North Korea’s cyber operations, including almost all the activity observed in the crypto industry. In addition to the infamous Lazarus Group, other threat actors that originate from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID oversees North Korea’s nuclear missile program and is the primary source of the country’s overseas IT workers. The intelligence community identifies these actors as Contagious Interview and Wagemole.

Lazarus Group

Lazarus Group is a highly sophisticated hacking organization. Cybersecurity experts believe that some of the largest and most destructive cyberattacks in history were carried out by this group. In 2016, Novetta identified Lazarus Group while analyzing the hack of Sony Pictures Entertainment.

In 2014, Sony was producing the action-comedy The Interview, whose central plot involved the humiliation and eventual assassination of Kim Jong-un. Understandably, this was not welcomed by the North Korean regime, which retaliated by hacking into Sony’s network, stealing several terabytes of data, leaking hundreds of gigabytes of confidential or sensitive information, and deleting the originals. As then-CEO Michael Lynton put it: “The people who did this didn’t just steal everything in the house—they burned the house down.” Sony ultimately spent at least $15 million on investigation and remediation related to the attack, and the actual damage may have been even higher.

In 2016, a hacker group with striking similarities to Lazarus Group infiltrated Bangladesh Bank in an attempt to steal nearly $1 billion. Over the course of a year, the hackers conducted social engineering attacks on bank staff, eventually gaining remote access and moving laterally within the network until they reached the computer that interfaced with the SWIFT system. From there, they waited for the perfect opportunity: Bangladesh observes its weekend on Thursday, while the New York Federal Reserve takes Friday off. On Thursday night, local time, the attackers used their SWIFT access to send 36 separate transfer requests to the New York Fed—early Friday morning local time. Over the next 24 hours, the Fed forwarded the transfers to Rizal Commercial Banking Corporation (RCBC) in the Philippines, which began processing them. By the time Bangladesh Bank reopened, it discovered the breach and tried to contact RCBC to halt the transactions, only to find the bank had closed for the Lunar New Year holiday.

Then in 2017, the widespread WannaCry 2.0 ransomware attack devastated industries across the globe, with partial attribution to the Lazarus Group. Estimated to have caused billions in losses, WannaCry exploited a Microsoft Windows zero-day vulnerability originally developed by the NSA. It encrypted local machines and propagated across accessible devices, ultimately infecting hundreds of thousands of systems worldwide. Fortunately, security researcher Marcus Hutchins discovered and triggered a kill switch within eight hours, limiting the scale of the damage.

Throughout its history, Lazarus Group has demonstrated remarkable technical capability and operational effectiveness. One of their key objectives is generating revenue for the North Korean regime. It was only a matter of time before they turned their attention to the cryptocurrency industry.

Lazarus Spin-Offs and Evolving Threats

Over time, as Lazarus Group became a catch-all term commonly used by the media to describe North Korea’s cyber activities, the cybersecurity industry began developing more precise names for Lazarus Group and specific operations linked to North Korea. APT38 is one such example. Around 2016, it split off from Lazarus Group to focus specifically on financial crimes—initially targeting banks (such as Bangladesh Bank), and later, cryptocurrency. In 2018, a new threat known as AppleJeus was discovered distributing malware targeting cryptocurrency users. Also in 2018, when OFAC first announced sanctions against two front companies used by North Koreans, it was already apparent that North Korean operatives impersonating IT workers had infiltrated the tech industry.

North Korean IT Workers

Although the earliest recorded mention of North Korean IT workers dates back to the 2018 OFAC sanctions, Unit 42’s 2023 report provided a more detailed account and identified two distinct threat actors: Contagious Interview and Wagemole.

Contagious Interview is known for impersonating recruiters from well-known companies to lure developers into fake interview processes. The prospective candidates are instructed to clone a repository for local debugging—framed as part of a coding challenge—but the repository contains a backdoor. Executing the code gives attackers control over the affected machine. This activity is ongoing, with the most recent incident recorded on August 11, 2024.

Wagemole, on the other hand, doesn’t lure victims—they get hired by real companies, blending in as ordinary engineers, albeit often less productive. That said, there are documented instances of IT workers using their access for malicious purposes. In the Munchables incident, an employee linked to North Korean operations exploited privileged access to smart contracts and stole all assets.

The level of sophistication among Wagemole agents varies widely. Some use generic résumé templates and refuse video calls, while others submit tailored CVs, participate in deepfake video interviews, and provide fake IDs like driver’s licenses and utility bills. In some cases, agents have stayed inside victim organizations for up to a year before leveraging their access to infiltrate other systems and/or completely cash out.

AppleJeus

AppleJeus primarily focuses on distributing malware and is skilled in executing complex supply chain attacks. In 2023, the 3CX supply chain attack allowed threat actors to potentially infect over 12 million users of the 3CX VoIP software. It was later discovered that 3CX itself had been affected by a supply chain attack on one of its upstream vendors—Trading Technologies 13.

In the crypto industry, AppleJeus initially spread malware disguised as legitimate software, such as trading platforms or cryptocurrency wallets. However, over time, their tactics evolved. In October 2024, Radiant Capital was compromised by a threat actor impersonating a trusted contractor who delivered malware via Telegram. Mandiant attributed this attack to AppleJeus.

Dangerous Password

Dangerous Password is responsible for low-complexity social engineering attacks targeting the cryptocurrency industry. As early as 2019, JPCERT/CC documented that Dangerous Password was sending phishing emails containing enticing attachments for users to download. In recent years, Dangerous Password has impersonated well-known figures in the crypto space to send phishing emails with subject lines like “Huge Risks in Stablecoins and Crypto Assets.”

Today, Dangerous Password continues to send phishing emails but has expanded its activities to other platforms. For example, Radiant Capital reported receiving a phishing message via Telegram from someone posing as a security researcher. The message included a file named “Penpie_Hacking_Analysis_Report.zip”. Additionally, users have reported being contacted by individuals impersonating journalists or investors who ask to schedule a call using obscure video conferencing apps. Like Zoom, these apps prompt users to download a one-time installer, but upon execution, they install malware on the user’s device.

TraderTraitor

TraderTraitor is the most sophisticated North Korean hacker group targeting the cryptocurrency industry and has been linked to attacks on platforms like Axie Infinity and Rain.com. TraderTraitor almost exclusively targets exchanges and companies with large reserves and does not use zero-day vulnerabilities. Instead, it employs highly sophisticated spear-phishing techniques to compromise its victims. In the Axie Infinity breach, TraderTraitor contacted a senior engineer via LinkedIn and successfully convinced them to go through a series of interviews, ultimately sending a “job offer” that delivered the malware payload. In the WazirX attack, TraderTraitor operatives compromised an unidentified component in the transaction signing pipeline. They then drained the exchange’s hot wallet by repeatedly depositing and withdrawing funds, prompting engineers to rebalance from the cold wallet. When WazirX engineers attempted to sign a transaction to transfer the funds, they were tricked into authorizing a transaction that handed over control of the cold wallet to TraderTraitor. This is very similar to the February 2025 attack on Bybit, in which TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering, then deployed malicious JavaScript into the Safe Wallet frontend specifically used by Bybit’s cold wallet. When Bybit attempted to rebalance its wallet, the malicious code was triggered, causing Bybit engineers to unknowingly sign a transaction that transferred control of the cold wallet to TraderTraitor.

Staying Safe

North Korea has demonstrated the capability to deploy zero-day vulnerabilities against adversaries, but so far, there are no recorded or known incidents of zero-days being used against the cryptocurrency industry. Therefore, standard security advice applies to nearly all threats posed by North Korean hackers.

For individuals, common sense and vigilance against social engineering are key. For example, if someone claims to possess highly confidential information and offers to share it with you, proceed with caution. Or, if someone applies time pressure and urges you to download and run software, consider whether they’re trying to prevent you from thinking rationally.

For organizations, apply the principle of least privilege wherever possible. Minimize the number of people with access to sensitive systems, and ensure they use password managers and two-factor authentication (2FA). Keep personal and work devices separate, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) tools on work machines to maintain both pre-breach security and post-breach visibility.

Unfortunately, for large exchanges or other high-value targets, TraderTraitor can still cause more damage than expected even without using zero-days. Therefore, additional precautions must be taken to eliminate single points of failure—so that a single compromise doesn’t result in complete financial loss.

Still, even if everything fails, there is hope. The FBI has a dedicated team tracking and preventing North Korean intrusions and has been actively notifying victims for years. I was recently glad to assist that team in connecting with potential North Korean targets. So, to prepare for the worst, make sure you have publicly available contact information—or maintain strong relationships across the ecosystem (e.g., SEAL 911)—so that critical alerts can reach you as quickly as possible through the social graph.

Disclaimer:

1. This article is reprinted from [ForesightNews]. Forward the Original Title ‘Paradigm: Unveiling the Threat of the North Korean Hacker Group Lazarus Group’. All copyrights belong to the original author [samczsun, Research Partner at Paradigm]. If there are any objections to this reprint, please contact the Gate Learn team, and they will handle it promptly according to the relevant procedures.

2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.

3. Translations of the article into other languages are done by the Gate Learn team. Without mentioning Gate.io, it is prohibited to copy, distribute, or plagiarize the translated versions.