The Lazarus Group [1] [2] [3] [4] [5] [6], also known as CryptoCore and APT38, is a North Korea-linked cybercriminal organization that has been involved in multiple cyber-attacks targeting cryptocurrency exchanges. This group has gained notoriety for its sophisticated phishing attacks and malware installation, allowing them to steal millions of dollars in cryptocurrency.


The Lazarus Group has conducted cyber-attacks on cryptocurrency exchanges in various countries, including Israel [1], the US [5] [7], Europe [7], and Japan [7]. Their modus operandi involves phishing attacks that install malware on employees’ computers, granting them access to crypto wallets [7]. Since May 2018 [7], it is estimated that Lazarus has stolen approximately $200 million, with $70 million coming from crypto exchange heists [7]. This adds to their previous theft of approximately $900 million in cryptocurrency between July 2022 and July of this year [2] [4] [6].

To convert and launder the stolen funds, the group has utilized cross-chain bridges and solutions like Avalanche Bridge, leading to a significant increase in the use of such services. In total, Lazarus is believed to have stolen nearly $240 million in cryptocurrency since June 2023 [2] [4], targeting platforms such as Atomic Wallet [2], CoinsPaid [2], Alphapo [2], [2], and CoinEx [2] [4]. They have also employed cross-chain solutions to move the stolen assets [6].

The United States has linked Lazarus to the theft of nearly $615 million worth of cryptocurrency from the online game Axie Infinity [1], with the U.S. [5] Treasury Department identifying a digital currency address used by the hackers as being under the control of Lazarus [1]. Blockchain analytics firms have confirmed North Korea’s involvement in the hack [1]. The Lazarus Group has also been accused of previous cyber-attacks [1], including the “WannaCry” ransomware attacks and the hacking of international banks [1].

As a result of these activities, the United States is pushing for the U.N [1]. Security Council to blacklist the Lazarus Group and freeze its assets [1]. South Korea’s National Intelligence Service has also warned of North Korea’s hacking activities [2] [3] [6], specifically targeting its shipbuilding sector through methods such as phishing emails and malicious code distribution. The Ronin hack [1], attributed to Lazarus, resulted in one of the largest cryptocurrency heists on record [1]. Sky Mavis [1], the company behind Axie Infinity [1], plans to reimburse the stolen funds using its own balance sheet funds and investments from Binance [1]. Additional security measures will be implemented before redeploying the Ronin Bridge [1].


The Lazarus Group’s cyber-attacks on cryptocurrency exchanges have had significant financial implications, with millions of dollars stolen. The group’s utilization of cross-chain bridges has contributed to the rise of chain-hopping [3], a type of cryptocurrency crime that involves quickly moving assets across tokens or blockchains to hide their origin. To combat North Korea’s illicit activities [5], including cybercrime and cryptocurrency theft [5], the FBI and other US government partners will continue their efforts [5]. In response to the increasing threat of cyber-attacks on cryptocurrency, the U.S. [1] [7] Treasury Department intends to publish crypto cybersecurity guidelines to help protect against stolen virtual currency [1]. The impacts of these attacks highlight the need for enhanced security measures and international cooperation to mitigate future cyber threats in the cryptocurrency space.