Lazarus Group: How a Sanctioned State Built the World's Most Effective Crypto-Theft Operation
A profile of Lazarus Group, North Korea's state-sponsored cyber operation responsible for billions in cryptocurrency theft, financial-sector intrusions, and supply-chain attacks. Tradecraft, history, recent campaigns, and what European NIS2 and DORA entities should take from it.
Lazarus Group: How a Sanctioned State Built the World's Most Effective Crypto-Theft Operation
In February 2025, a routine cold-to-hot wallet transfer at the cryptocurrency exchange Bybit was intercepted. By the time the company's CEO posted reassurances on social media, approximately $1.5 billion in Ethereum had been redirected to attacker-controlled addresses — the largest single digital-asset heist in history. Five days later the FBI's Internet Crime Complaint Center issued a Public Service Announcement attributing the theft to North Korea, naming the cluster of activity it tracks as TraderTraitor, more widely known as the Lazarus Group.
This profile covers the actor behind that heist — what is known about it, what its 2025-2026 operations have looked like, and why a sanctioned state's cyber programme is now the single most consequential threat to financial entities under DORA. For how cyber threat actor activity meets the regulatory layer, see the complete NIS2 and DORA guide. For a focused brief on a current Lazarus-linked campaign, see Memory-Only, Reporting-Heavy: What the Lazarus RemotePE Campaign Means for DORA.
What is known about Lazarus Group
Lazarus is the most-tracked North Korea-linked threat cluster, and one of the most-named in the field. The various designations reflect twenty years of overlapping intelligence-vendor and government tracking:
- Lazarus Group — the general cluster name, used across the industry
- TraderTraitor — the FBI's preferred label for the financially-motivated sub-cluster
- APT38 — the financially-motivated unit specifically, in older Mandiant tracking
- BlueNoroff — Kaspersky's label for the financially-motivated sub-cluster
- Stardust Chollima — CrowdStrike
- Hidden Cobra — older CISA designation
The attribution is unusually clean by threat actor standards. The FBI, the US Treasury, CISA, the UK NCSC, and the United Nations Panel of Experts have all publicly attributed Lazarus activity to North Korea's Reconnaissance General Bureau (RGB), the country's primary intelligence service. The operations are widely assessed to be a state revenue programme — a key source of hard currency for a regime under comprehensive international sanctions, with theft proceeds funding the country's ballistic missile and nuclear weapons programmes.
The scale is, by 2026, settled fact. Chainalysis attributes US$2.02 billion in stolen cryptocurrency to North Korea-linked actors in 2025 alone — a 51% year-on-year increase, pushing cumulative DPRK-linked theft past US$6.75 billion. TRM Labs reports an independent figure of US$1.92 billion. In the first four months of 2026, TRM Labs assessed North Korea-linked actors as responsible for roughly 76% of all global crypto theft tracked in that period. These are not the numbers of an opportunistic criminal enterprise. They are the numbers of a state revenue line.
The 2025-2026 operational record
The Bybit heist (21 February 2025) — $1.5 billion
The defining operation. On 21 February 2025, hackers intercepted a scheduled transfer of approximately $1.5 billion in Ethereum from one of Bybit's cold wallets to a hot wallet, redirecting the funds to attacker-controlled addresses. The attack vector was not a direct compromise of Bybit's infrastructure. It was a supply-chain compromise of the Safe{Wallet} multisig wallet platform that Bybit used to authorise signings.
The forensic accounts from Sygnia and Verichains, confirmed by the Safe Ecosystem Foundation, established the mechanism: a Safe{Wallet} developer machine was compromised, providing access to an account operated by Bybit. The on-chain transaction was silently rewritten so that signers approved a transfer to attacker-controlled addresses while the user interface they were looking at displayed the legitimate destination. The signers approved what they thought they were approving. The blockchain executed what the attackers had substituted.
The FBI issued its public attribution on 26 February 2025, naming TraderTraitor / Lazarus Group. Blockchain analysis firms Elliptic, TRM Labs, and Chainalysis independently confirmed the attribution based on laundering patterns and infrastructure overlaps with prior DPRK-attributed thefts. By 2026 the Bybit incident alone accounted for approximately $1.46 billion of the year's DPRK-linked theft total.
KelpDAO (18 April 2026) — $290 million
On 18 April 2026, the LayerZero-supporting protocol KelpDAO was exploited for approximately $290 million. A token linked to the Ethereum cryptocurrency was drained through a forged cross-chain message after parts of the underlying infrastructure were compromised. LayerZero stated in its public response that "preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK's Lazarus Group." This is a vendor's preliminary attribution rather than a settled government one, but the technical pattern — supply-chain compromise of supporting infrastructure to enable a forged transaction — closely resembles the Bybit playbook.
The TraderTraitor / DeFi targeting pattern
Beyond the headline incidents, the operational pattern across 2025 and 2026 is consistent: targeting of cryptocurrency exchanges, DeFi protocols, and the infrastructure providers that support them, via trust-relationship compromises rather than direct technical assault on the eventual victim. North Korean operators have also been documented posing as legitimate IT workers to gain employment at crypto companies, providing inside access to internal systems — an operation type distinct from external intrusion but part of the same state revenue programme.
Diplomatic spear-phishing (2025)
A parallel operational stream targets diplomatic communications. Between March and July 2025, DPRK-linked actors are assessed to have carried out at least 19 spear-phishing campaigns against embassies worldwide, impersonating trusted diplomatic contacts with credible meeting invitations, official letters, and event invitations. This is intelligence-collection activity sitting alongside the revenue operation.
The RemotePE campaign (current, May 2026)
Live as of this writing: a memory-only RAT — RemotePE — assessed by Rescana, Fox-IT, and NCC Group as a Lazarus-linked campaign targeting financial, cryptocurrency, and DeFi organisations. The campaign begins with social engineering — operators posing as employees of investment firms, contact via Telegram, fraudulent scheduling platforms — culminating in deployment of malware engineered to leave no disk artefacts. We covered the regulatory implications in Memory-Only, Reporting-Heavy: What the Lazarus RemotePE Campaign Means for DORA.
Recurring tradecraft
Across the Lazarus operational record, four patterns are particularly consequential for DORA-regulated entities:
- Supply-chain compromise as the preferred initial vector. The pattern — compromise the third-party infrastructure your target depends on, rather than the target itself — recurs across Bybit (Safe{Wallet}), KelpDAO (cross-chain message infrastructure), and the broader 2024-2025 pattern of compromising IT staffing providers and DeFi support vendors.
- UI/transaction substitution attacks. The Bybit operation demonstrated that signing-tool compromise can rewrite what's actually transmitted while displaying what the signer expects to see. This is a category of risk that conventional access-control and segregation-of-duties controls do not address — the signers behaved correctly; the substrate lied to them.
- Memory-only and anti-forensic tradecraft. RemotePE-class malware, and earlier Lazarus implants, are engineered for forensic silence. The detection-and-response surface depends on behavioural and in-memory tooling that many financial entities do not deploy at scale.
- Social engineering at the boundary of legitimate business activity. The "investment firm contacting via Telegram about a scheduled meeting" lure is calibrated to defeat policy-level defences. The contact looks plausible to staff in business-development, treasury, and trading roles who legitimately field unsolicited contact from external parties.
Why Lazarus matters for DORA-regulated entities
Three implications for financial entities — including crypto-asset service providers under MiCA, payment institutions, investment firms, and any DORA-regulated entity holding or transacting in digital assets.
The threat is structural, not opportunistic. Lazarus operates as a state revenue programme. Its activity does not respond to victim defensive maturity in the way a financially-motivated criminal might shift to softer targets — it responds to the regime's funding requirements. For a DORA entity in the crypto-asset space, this is not a risk that recedes when the firm hardens; it is a risk that adjusts its approach.
Pillar 4 third-party risk is where Lazarus operates. The Bybit operation was not a failure of Bybit's perimeter. It was a failure of due diligence and architecture around a critical ICT third-party provider. DORA Articles 28 to 30 — see DORA Third-Party Oversight — codify exactly the kind of provider scrutiny that Lazarus operations exploit when it is absent. The Register of Information, properly built, is the dependency map that lets a financial entity see where it is structurally exposed.
The DORA incident reporting clock collides with Lazarus tradecraft. A successful Lazarus intrusion is engineered for forensic invisibility. DORA's major-incident reporting cadence — initial notification within hours of classification — assumes a baseline of forensic visibility that memory-only implants attack. The defensible operational posture is to invest in detection capability before the incident, and to recognise that the final report may have to honestly state forensic gaps the malware was designed to create.
How you would actually watch this
Three concrete monitoring postures.
Counterparty and supplier infrastructure as part of your attack surface. A crypto exchange's exposure to Lazarus runs through its wallet providers, its custody platforms, its multi-sig signing infrastructure, its IT staffing providers, and its developer tooling — not (only) through its own perimeter. The DORA Register of Information, treated as intelligence rather than paperwork, is the map of where this exposure lives. See DORA Register of Information: Template and Requirements.
Pre-intrusion social-engineering monitoring. Lazarus's documented contact patterns — Telegram outreach impersonating investment firms, fraudulent scheduling platforms, IT-worker placement — are detectable at the policy and awareness layer before any malware is deployed. Briefing staff in business-development, trading, treasury, and developer-hiring roles on the specific lure patterns is a near-free control that operates upstream of any endpoint tool.
Blockchain and on-chain intelligence as an external signal. Chainalysis, Elliptic, TRM Labs, and similar firms maintain attribution databases of DPRK-linked wallet addresses. For entities transacting in digital assets, integrating these feeds into transaction monitoring is a way to detect outbound exposure — payments to wallet clusters associated with DPRK actors — that internal telemetry alone cannot surface.
The honest framing
Two notes on attribution and context.
The DPRK attribution is unusually well-supported. Most threat actor profiles depend on intelligence-vendor assessments. The Lazarus / DPRK attribution carries unusual weight: it has been made publicly by the FBI (multiple times), the US Treasury (with explicit sanctions designations), CISA, the UK NCSC, and the United Nations Panel of Experts. The specific Bybit attribution rests on the FBI's IC3 PSA combined with concurrent attributions by Elliptic, TRM Labs, and Chainalysis based on independent blockchain analysis. This is among the strongest publicly attributable threat actor claims in the field.
The motivation distinguishes Lazarus from criminal actors. A ransomware affiliate optimises for ransom payment. Lazarus optimises for sustained, large-scale extraction of value into a state laundering apparatus. The defensive implications differ accordingly: a ransomware victim that pays is, in a narrow sense, "done"; a Lazarus victim is funding a sanctioned state's weapons programme, with secondary legal and reputational consequences that may exceed the immediate loss.
The takeaway
Three things follow.
- Lazarus is a state revenue programme operating in the financial sector's most critical infrastructure. $2 billion stolen in 2025, 76% of all 2025 service compromises by share, and no indication of slowing in 2026.
- The tradecraft attacks supply chain and trust relationships rather than perimeters. Bybit, KelpDAO, and the broader operational pattern compromise the providers your security depends on. DORA Pillar 4 is the regulatory response.
- Awareness, detection, and forensic capability matter most. Memory-only, anti-forensic tradecraft means investment in behavioural detection, in-memory forensics, and threat intelligence pays back specifically against this actor.
For the broader cross-domain analysis of supplier-driven risk, The Trust Supply Chain. For the specific regulatory implications of a current Lazarus-linked campaign, Memory-Only, Reporting-Heavy: What the Lazarus RemotePE Campaign Means for DORA.
Sources & further reading
- FBI Internet Crime Complaint Center (IC3) — Public Service Announcement attributing the Bybit theft to TraderTraitor / Lazarus Group (26 February 2025)
- US Treasury Office of Foreign Assets Control — Lazarus Group sanctions designations
- United Nations Panel of Experts — DPRK cyber-revenue assessments
- Chainalysis — 2026 Crypto Crime Report ($2.02B DPRK attribution; $6.75B cumulative)
- TRM Labs — 2026 crypto theft analysis ($1.92B parallel attribution; 76% DPRK share)
- Elliptic — Bybit theft attribution analysis
- LayerZero — KelpDAO incident statement (April 2026)
- Sygnia and Verichains — Bybit incident forensic post-mortems
- Safe Ecosystem Foundation — Bybit incident statement
- Rescana, Fox-IT, NCC Group — RemotePE / Lazarus campaign analysis (2026)
- CSIS — The Bybit Heist and the Future of U.S. Crypto Regulation
- CISA — Hidden Cobra / Lazarus advisories
- UK National Cyber Security Centre — DPRK advisories
Attribution note: The DPRK / Lazarus Group attribution for the operations described above derives from explicit public attribution by the FBI, US Treasury, and multiple intelligence and blockchain analytics firms (Chainalysis, Elliptic, TRM Labs). Specific operations and figures are sourced from the named primary sources and reported here as their stated assessments.