- North Korean Hackers have stolen approximately $3 billion between 2017-2023, with an additional $1.7 billion from attacks on WazirX and Bybit in recent years.
- At least five North Korean Hacking organizations target the crypto industry, with Lazarus Group being the most notorious for high-profile attacks.
- These threat actors employ increasingly sophisticated methods from phishing to supply chain hijacks, sometimes planning attacks that take up to a year to execute.
North Korean crypto hacking operations have escalated in both sophistication and scale, according to a new report by Paradigm titled “Demystifying the North Korean Threat.” The Cybersecurity research reveals that state-backed hackers have developed complex attack methodologies targeting cryptocurrency exchanges and infrastructure, representing a growing threat to the digital asset industry.
According to United Nations estimates, North Korean hackers successfully stole $3 billion between 2017 and 2023. This figure has increased dramatically in recent years, with attacks against exchanges WazirX and Bybit netting approximately $1.7 billion in stolen funds.
The report identifies at least five distinct North Korean hacking organizations targeting the cryptocurrency sector: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. Additionally, a network of North Korean operatives poses as legitimate IT professionals to infiltrate technology companies globally.
Lazarus Group, the most infamous of these organizations, has executed several high-profile attacks since 2016. Their targets have included Sony and the Bank of Bangladesh in 2016, followed by involvement in the WannaCry 2.0 Ransomware attack in 2017. The group’s focus on cryptocurrency began with attacks on exchanges Youbit and Bithumb in 2017, followed by the 2022 Ronin Bridge exploit that resulted in hundreds of millions in stolen assets.
Most notably, Lazarus Group is credited with the 2025 theft of $1.5 billion from Bybit, one of the largest cryptocurrency heists to date. Security researchers also believe the group may be connected to various Solana memecoin scams.
These North Korean cyberattacks employ diverse methodologies, including direct assaults on exchanges, social engineering, phishing campaigns, and complex supply chain hijacks. Some operations demonstrate remarkable patience, with attackers meticulously planning their approach over periods extending up to a year.
After successful attacks, Lazarus Group follows predictable money laundering patterns according to Chainalysis and other blockchain intelligence firms. The group fragments stolen funds into progressively smaller amounts distributed across numerous wallets, converts illiquid tokens to those with higher liquidity, and consolidates much of the value into Bitcoin. Following these conversions, they often hold the assets for extended periods until law enforcement attention diminishes.
Law enforcement has made some progress in identifying the perpetrators. The FBI has identified three alleged members of the Lazarus Group, with the U.S. Justice Department indicting two individuals in February 2021 for involvement in global cybercrime operations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- NHL’s Devils Join Theta EdgeCloud with AI Chatbot, Expanding Sports Adoption
- Bitcoin Dips to Two-Week Low as Trump’s Tariff Deadline Looms
- ‘Crypto Fascist’ ICERAID Site Offers Rewards for Immigration Snitches
- FTX to Begin $11.4B Creditor Payouts as BitMEX Founders Receive Pardon
- ‘Crocodilus’ Malware Steals Crypto by Tricking Android Wallet Users
