Key Takeaways
- Lazarus Group transitioned from banks to crypto – Initially targeting traditional financial institutions, the group shifted to cryptocurrency.
- State-backed cybercrime raises global concerns – Many experts believe Lazarus operates with North Korea’s support.
- DeFi platforms and exchanges remain prime targets – Lazarus exploits vulnerabilities in cross-chain bridges, hot wallets, and smart contracts.
- Regulatory scrutiny and security upgrades are increasing – As Lazarus’s attacks grow more sophisticated, governments and exchanges are tightening security to prevent future breaches.
The crypto world has many players—some aiming to reshape global finance, others exploiting its vulnerabilities. Few have made a bigger impact than Lazarus Group, a hacking organization that has stolen billions from banks, governments, and, more recently, crypto platforms.
Unlike typical cybercriminals, Lazarus is believed to operate with state backing, turning its heists into more than just financial crimes. Its attacks have raised global security concerns, forcing law enforcement agencies worldwide to track its movements.
The group has evolved from traditional bank fraud to blockchain-based theft.
As it refines its methods, it continues to fuel North Korea’s financial operations through large-scale cyber heists.
Before turning to crypto, Lazarus Group had already been breaching financial institutions and corporations. In 2014, it hacked Sony Pictures Entertainment, leaking sensitive data in retaliation for a film critical of North Korea.
Two years later, it infiltrated the Bangladesh Bank, attempting to steal $1 billion through fraudulent SWIFT transactions. A typo in one of the transfer requests raised suspicion, but $81 million had already been withdrawn and laundered.
As cryptocurrency adoption grew, Lazarus Group shifted its focus to a faster, less regulated financial system. Crypto provided the perfect opportunity—allowing them to steal, move, and launder funds with fewer restrictions.
In their latest and most audacious move, Lazarus Group pulled off a staggering crypto heist, draining $1.5 billion from Bybit, marking the largest exchange breach to date.
The FBI has officially attributed several significant cryptocurrency thefts to the Lazarus Group, a North Korean state-sponsored cyber actor, and has linked these heists to funding North Korea’s weapons programs.
Below are nine of the largest crypto heists linked to Lazarus Group. They show how they breached systems, moved stolen assets, and exposed critical weaknesses in crypto security.
| Heist | Year | Amount | Exploited Vulnerability |
| Bybit Exchange Heist | 2025 | $1.5 Billion | Hot wallet compromise |
| WazirX Exchange Hack | 2024 | $234.9 Million | Multi-signature wallets |
| Stake.com Breach | 2023 | $41 Million | Social engineering |
| Atomic Wallet Exploit | 2023 | $100 Million | Provider-level private keys |
| Harmony Horizon Attack | 2022 | $100 Million | Bridge private keys |
| Ronin Network Heist | 2022 | $625 Million | Validator nodes |
| ElectricFish Incident | 2019 | $49.5 Million | Network tunneling malware |
| KuCoin Exchange Breach | 2020 | $280 Million | Phishing + hot wallets |
| WannaCry Ransomware | 2017 | Unspecified | NSA exploit + ransomware |
1. Bybit Exchange Heist
- Year: 2025
- Amount: $1.5 Billion
What happened:
Lazarus Group executed the biggest crypto heist in history, draining $1.5 billion from Bybit, a Dubai-based exchange. They compromised multiple security layers, directly targeting the exchange’s hot wallets and siphoning 401,000 Ethereum.
Analysts traced the on-chain movements of stolen assets and linked the laundering process to North Korean-affiliated wallets. This attack surpassed every previous crypto theft, reinforcing Lazarus Group’s dominance in financial cybercrime.
2. WazirX Crypto Exchange Hack
- Year: 2024
- Amount: $234.9 Million
What happened:
Hackers infiltrated India’s largest cryptocurrency exchange, WazirX, exploiting multi-signature wallet vulnerabilities to drain $234.9 million in various transactions.
Reports suggest Lazarus Group used phishing and social engineering attacks to gain access to private keys before executing the heist. The breach destabilized India’s crypto market, forcing regulators to tighten exchange security requirements.
- Year: 2023
- Amount: $41 Million
What happened:
Hackers targeted Stake.com, an online crypto gambling platform, stealing $41 million in Ethereum, Bitcoin, and stablecoins. The attack relied on social engineering tactics, where Lazarus operatives tricked employees into granting access to internal withdrawal mechanisms.
Once inside, they executed unauthorized withdrawals and immediately funneled funds through laundering networks.
4. Atomic Wallet Exploit
- Year: 2023
- Amount: $100 Million
What happened:
Thousands of Atomic Wallet users, a non-custodial crypto wallet, woke up to find their funds drained overnight. Hackers compromised private keys at the wallet provider level, allowing them to siphon $100 million in Bitcoin, Ethereum, and stablecoins.
Victims reported that no transactions were initiated on their end, suggesting a backdoor or undisclosed vulnerability in the wallet’s infrastructure. Blockchain forensics firms confirmed that the stolen funds were funneled through Tornado Cash, a signature Lazarus laundering method.
This incident shattered confidence in self-custody wallets, proving that not even private wallets were safe from nation-state hackers.
5. Harmony’s Horizon Bridge Attack
- Year: 2022
- Amount: $100 Million
What happened:
Hackers exploited weak private key security in Harmony’s Horizon Bridge, draining $100 million in Ethereum, Binance Coin, and other assets. Automated withdrawal scripts allowed Lazarus Group to extract funds before the team realized the breach.
Investigators traced the stolen funds to wallets controlled by North Korean-backed hackers, further proving their ability to exploit blockchain security flaws. This attack followed the same cross-chain bridge vulnerabilities in Ronin, showing that Lazarus was refining its techniques.
6. Ronin Network Heist
- Year: 2022
- Amount: $625 Million
What happened:
Lazarus Group orchestrated the largest decentralized finance (DeFi) hack in history, targeting the Ronin Network, which powered Axie Infinity’s in-game economy. By compromising five out of nine validator nodes, hackers took control of the blockchain bridge, allowing them to forge fake transactions and steal 173,600 ETH and 25.5 million USDC.
The breach went undetected for six days, allowing Lazarus Group to begin laundering the funds through mixers and decentralized exchanges. The attack collapsed the trust in Axie Infinity’s economy and prompted major regulatory crackdowns on DeFi security standards. The FBI later officially confirmed Lazarus’s involvement.
7. September 2019 ElectricFish Incident
- Year: 2019
- Amount: $49.5 Million
What happened:
Lazarus Group used a custom malware tool, ElectricFish, to penetrate financial systems in multiple countries. The most successful breach targeted a Kuwaiti financial institution, draining $49.5 million before authorities detected the intrusion.
ElectricFish acted as a covert tunneling tool, helping Lazarus bypass firewalls and move stolen funds undetected. Analysts believe this incident was a test run for larger financial cyberattacks, refining techniques they would later use against crypto exchanges. The attack bridged the gap between traditional bank heists and their full pivot to crypto thefts.
8. KuCoin Exchange Breach
- Year: 2020
- Amount: $280 Million
What happened:
Hackers breached KuCoin’s hot wallets, siphoning $280 million worth of Bitcoin, Ether, and dozens of other cryptocurrencies. The attack started with phishing techniques to access internal systems before executing coordinated withdrawals across multiple tokens.
KuCoin’s security team responded quickly, freezing and recovering some of the stolen funds. However, the attack revealed how Lazarus Group adapted its tactics, shifting from bank fraud to crypto-focused hacking. Investigators traced parts of the stolen assets to money-laundering networks linked to North Korea, reinforcing Lazarus’s direct involvement.
9. WannaCry Ransomware Attack
- Year: 2017
- Amount: Unspecified – Global Impact
What happened:
A self-spreading ransomware attack crippled over 200,000 computers across 156 countries within hours, causing millions of dollars in damage. It infiltrated hospital networks, government agencies, and major corporations, locking users out of their files and demanding Bitcoin ransom payments for decryption.
The UK’s NHS suffered massive disruptions, forcing hospitals to cancel surgeries and shut down emergency services.
Investigators later uncovered that the ransomware was built using a leaked National Security Agency (NSA) exploit—an advanced cyberweapon repurposed for criminal use. The attack is widely linked to Lazarus Group, showing North Korea’s shift toward cyber-enabled financial extortion.
Despite causing billions in damages, the hackers made only a few hundred thousand dollars from ransom BTC payments, proving their focus was not just on money but also on economic sabotage.
Conclusion
Lazarus Group redefined financial cybercrime, moving from bank fraud to crypto heists that fund North Korea’s nuclear ambitions. Their attacks exposed systemic security failures across exchanges, wallets, and DeFi platforms.
Despite law enforcement tracking their movements, Lazarus keeps adapting its tactics. The fight against this state-backed crypto crime group is far from over.
FAQs
What hacking tools does Lazarus Group use?
They deploy custom malware, phishing scams, and social engineering tactics. Tools like ElectricFish and AppleJeus help them bypass security measures and infiltrate financial systems.
Has anyone from Lazarus Group been arrested?
No key members have been caught. The U.S. has sanctioned individuals linked to the group, but Lazarus keeps adapting, making it hard to track them down.
Can stolen crypto be recovered?
Some exchanges have managed to freeze funds before they were laundered, but recovery becomes nearly impossible once assets are mixed or moved across wallets.
Was this Article helpful?
