Lazarus Group Details – All You Need To Know About the Bybit Hacker

Crypto Educationhacking news
lazarus group hacking
1

Lazarus Group is the most common designation in the group of hackers which is directed from the DPRK. It is also known by different unofficial names. Other names can be seen in various documents.

In the reports of the U.S. Agency for Cybersecurity and Infrastructure Protection Group, it is called Hidden Cobra. In the reports of Microsoft, it’s called ZINC and Diamond Sleet. And called Guardian of Peace by the hackers.

Very little information about the Lazarus Group is known and the size and composition of the organization is not known. According to the U.S. two enforcement officials, Park Jin-hook the leader of the group is a DPRK citizen.  As per the FBI officials he lived in China for at least eight years where he got involved in software development.

lazarus group park jin hyok

In 2011, the park told North Korean authorities that he wanted to return to his home country due to some personal matter. Pak’s card on the FBI’s website reads:

“Park Jinhyok is an alleged state-sponsored North Korean program, a member of an alleged criminal conspiracy responsible for some of the most costly computer hacks in history. His attacks crippled computer systems and resulted in the theft of funds and virtual currencies from multiple victims. Pak is believed to have been involved in a large-scale criminal conspiracy carried out by a group of hackers affiliated with the intelligence directorate of the DPRK General Staff. The group included North Korean hacker organizations, that some private cybersecurity firms refer to as Lazarus Group and Advanced Persistent Threat 38(APT38)

According to South Korean media, In June 2009, the Lazarus group became a part of the state program. And in that duration of time, major attacks were recorded, the source of which was believed to be the DPRK. Government resources were attacked including the official site of the Blue House.

The attackers targeted the South Korean information infrastructures for a long time. The group’s activity has largely grown beyond the regional conflict that has been listed since  1950.

The Major Attacks Done by Lazarus Group

The attack that made the Lazarus group famous in the world was done in November 2014. It was done on the computer systems of Sony Pictures Entertainment. The studio was temporarily frozen by the attackers. As a result, the employees were not able to use their systems, which displayed a “screen of death’ with an image of a skeleton and a “warning” from Guardians of Peace.

All the major activities like financial transactions etc. were not conducted causing movie production to be suspended. All the personal data including information on income, personal correspondence and passwords was leaked by the attackers on the different social media platforms. Around seven thousand employees of the company were affected by this move.

In addition, five films that were not released on the online platforms were leaked on the internet. According to the Western press, the attack was political And it was linked to Seth Rogen’s satirical movie “Interview”. North Korean leader Kim Jong-un was shown as the main antagonist and object of ridicule.

Lazarus Group attached the SWIFT system to make transfers worth about $1 billion from the South Asian Republic’s government account. When the security officers discovered the unwanted activity, $81 million was already withdrawn by the criminals.

Technical security was increased after this incident. With the help of the WannaCry ransom virus, hundreds of thousands of computers were attacked by criminals. In return, a $300 ransom in Bitcoin was demanded.

In some European countries, the work of medical institutions was also paralyzed by the attackers. The car factories like Renault and Japanese Nissan were also harmed.

How Much Money Lost in the Crypto Industry Because of Lazarus Group

With the rapid increase in the amount of digital assets, North Korean hackers have turned their concentration to this segment of finance. In 2017 and 2018 alone, the attackers hacked 14 crypto exchanges and stole a total of $882 million in assets. The Lazarus Group also learned to attack not only the whole platform but also individual users simultaneously.

Attackers hacked the Ronin sidechain worth around $620 million worth of crypto assets from users of the Axie Infinity game. In the summer of 2022, the Lazarus group attacked the Horizon protocol → cross-chain bridge harmony and the decentralized wallet Atomic Wallet.

Related Posts

El Salvador’s National Library Launches “Bitcoin…

Top 3 New Crypto Scams & Hacking Attacks, You…

Layer 1 vs Layer 2 vs Layer 3 Blockchains: A…

The total damage that occurred from the two attacks is estimated at $135 million. According to the future analysts around $1.7 billion was stolen by the North Korean cybercriminals in a year and the number is continuously rising.

The largest hack in the history of the cryptocurrency industry happened on Feb 21, 2025, and the target was the Bybit exchange. Hackers withdrew around $1.4 billion worth of Ethereum by gaining access to one of the platform’s cold ass etc.

Soon, on-chain analyst ZachXBT “provided irrefutable evidence” of Lazarus Group’s involvement in the attack. These types of attacks also affect the credibility of the cryptocurrency industry.

For example,

The U.S. Authorities used Lazarus group activity as a reason to impose sanctions against Tornado cash → Blende, and Sinbad mixers, which hackers allegedly used to launder stolen funds. However, such restrictions do not prevent attackers from quickly finding alternative routes to withdraw funds.

Hackers can attack not only the local exchanges and micro projects but also the platforms that have “green” security scoring.

Lazarus Group Connected With DPRK (Democratic People’s Republic of Korea)?

North Korean dictator has an oppressive nature, it is inconceivable that such complex operations could be carried out without state involvement. The local citizens of DPRK do not have the access to Internet only the privileged citizens can use it. The privileged citizens include entourage, managers and employees of enterprises of strategic importance.

Except for these high authority officials rest of the people have to make do with the isolated Kwangmen network, which contains only information provided by the regime. The epicentre of North Korean cybercrime is Lab 110, which is under the state council headed by Jim Jong-un. As confirmed by Russian Korean scholar Andrew Lanknov, strike groups of North Korean hackers are based outside the DPRK:

They have some pretty good training centres. Technically they have a good level. By the way, these centres are not physically located in Korea- for a very long time, one of the largest centres was located in a hotel in the Chinese city of Shenyang where they lived, going out into the city only under the supervision of a special officer. Believe that even now such bases continue to exist in different countries of the world- mainly in East and Southeast Asia.

Hacked Funds Used in Nuclear Programs?

There is no direct evidence that these funds are going to Nuclear Programs but there are high chances of it. The DPRK refused to cooperate with IAEA(International Atomic Energy) on principle back in 2008 Pyongyang officially notified that it “no longer needs the agency’s surveillance services” at nuclear power facilities. Therefore it is very difficult to determine the sources of funding for this sector.

However, according to the reports, North Korean cybercriminals are busy collecting funds to develop for mass destruction. In February 2004, Reuters published excerpts from a secret report by the UN sanctions committee.

According to the reports North  Korean hackers are suspected of at least 58 attacks that have theft around $3 billion at the time of publication. Almost the same figures were disclosed by Microsoft’s Cybersecurity Report. According to estimates by ICAN (International Campaign to Abolish Nuclear Weapons), Pyongyang spent $667 million on its nuclear program in 2020.

Massive time is required to connect the stolen funds to fiat – As indicated by Bitdefender labs analysts, members of the organization target employees in nuclear aviation and try to gain secret information and access to corporate accounts.

According to information from Reuters, in late 2021, the computer networks of NPOs is hacked by Lazarus Group. The network is located in NPO Mashinostroyenia located in Reutov near Moscow. The hackers are gathering information that is important for the production of an intercontinental ballistic missile.

Lazarus Group – One of a Kind?

Lazarus group is not a single entity. It consists of different Units responsible for different targets and types of attacks. Simultaneously, Kimsuky and Ricochet Chollima groups operate in the same DPRK.

Similar structures like Lazarus group exist in many states with non-democratic regimes: China (red Apollo, Double  Dragon, numbered Panda and many others), Iran(Charming Kitten, Helix kitten, Elfin Team ), Russia (Cozy Bear, Fancy Bear, Primitive Bear and others), and Saudi Arabia (Our Mine).

The negative image of the DPRK as “ the last totalitarian regime” and Pyongyang’s principled refusal of any kind. Lazarus’ group is known as “absolute evil”. This attitude results not only in justified accusations but also creates a negative impact on the crypto industry.

Header ad
Sanjay Grewal

    I am a part-time crypto writer with experience of more than 4 years in the crypto space. I have expertise in blockchain technology and loves writing about it. Memecoins is the fascinating thing that attracts my attention.

    You might also like More from author
    Header ad