North Korean Hackers Steal $100 Million from Cryptocurrency Payment Services

North Korean hackers from the Lazarus Group [3], believed to be operating on behalf of the North Korean government [5], have allegedly stolen nearly $100 million from two cryptocurrency payment services [2] [3]. These attacks highlight the ongoing threat posed by cybercriminals to the cryptocurrency industry [2].


Over the past two years [5], Lazarus has been responsible for multiple high-profile cryptocurrency thefts [5]. Their recent theft of $37.3 million from Tallinn-based payments gateway CoinsPaid on July 22, 2023, and the larger attack resulting in a total theft of $60 million from crypto payments provider Alphapo, demonstrate their capabilities. The motive behind the theft is suspected to be funding for North Korea’s nuclear weapons program [3].

The attackers targeted Alphapo, a centralized crypto payment provider for gambling sites and e-commerce subscription services [4]. They initially stole an estimated $23 million, including various cryptocurrencies drained from hot wallets [4]. They further drained an additional $37 million of TRON and BTC [4], bringing the total amount stolen to $60 million [4]. The attack bears characteristics of a Lazarus heist [4], and the group has been previously linked to other high-profile cryptocurrency thefts [4]. Their modus operandi typically involves using fake job offers to compromise computers and gain unauthorized access to victims’ employer networks [4].

The stolen funds have been tracked to cryptocurrency exchanges [4], where laundering attempts have been observed [4]. It is believed that the attackers stole private keys to gain access to the wallets [4]. However, the involvement of the North Korean threat group in the Alphapo hack has not been independently confirmed at this time [4].

In February 2021 [5], the US Department of Justice indicted three members of the Reconnaissance General Bureau [5], a North Korean military intelligence agency [5], for their involvement in Lazarus hacking campaigns [5]. These individuals are Jin Hyok [5], Jon Chang Hyok [5], and Kim Il [5]. Lazarus was placed on the SDN List under North Korea Sanctions Regulations section 510.214 by the US Treasury’s OFAC on April 14, 2022 [5].

Despite the loss [1], customer funds remained intact [1], but the platform’s availability was affected [1]. The targeted services [2], CoinsPaid and Alphapo [2] [3], both based in Estonia [2], took immediate action to strengthen their security systems. CoinsPaid assured its clients that their funds remained safe and accessible [6]. Prominent entities in the crypto industry [6], along with Estonian law enforcement authorities [6], are actively participating in the investigation [6].


The theft of nearly $100 million by North Korean hackers from cryptocurrency payment services raises concerns about the security of the cryptocurrency industry. The ongoing threat posed by cybercriminals [2], particularly groups like Lazarus, highlights the need for robust security measures and constant vigilance. The involvement of a state-sponsored threat group in these attacks further underscores the potential geopolitical implications. Efforts to strengthen security systems and collaborate with law enforcement authorities are crucial in mitigating future attacks and safeguarding customer funds.