Lazarus Group
The most widely used name for North Korea's state-sponsored hacking apparatus, run under its Reconnaissance General Bureau. Blamed for the Sony hack, the Bangladesh Bank SWIFT heist, WannaCry, and — since ~2017 — many of the largest crypto thefts ever. Chainalysis puts DPRK's cumulative crypto haul near $6.75B, used to fund the regime's weapons programs.
Also known as: Lazarus Group, Hidden Cobra, APT38, BlueNoroff, Andariel, Guardians of Peace, ZINC, TEMP.Hermit, Diamond Sleet, Reconnaissance General Bureau
On attribution: "Lazarus Group" is a label applied by governments and security firms to overlapping North Korean state hacking units. Attributions below are those of the cited authorities (FBI, U.S. Treasury, DOJ, UN) and analytics firms (Chainalysis, Elliptic, Mandiant); cyber-attribution is rarely 100% certain. See the linked case entries for incident-specific findings.
Overview
Lazarus Group is the most common name for a set of state-sponsored hacking units operated by North Korea's military-intelligence agency, the Reconnaissance General Bureau (RGB). When the U.S. Treasury sanctioned it in September 2019, it listed numerous aliases used across the security industry, including Hidden Cobra, Guardians of Peace, APT-C-26, Group 77, Office 91, ZINC, and TEMP.Hermit. The same action sanctioned two RGB sub-groups, Bluenoroff (a.k.a. APT38) and Andariel. [1]
Structure and sub-units
Researchers track several overlapping clusters under the Lazarus/RGB umbrella:
- Bluenoroff / APT38 — focused on financial theft (banks, exchanges). [1][2]
- Andariel — espionage plus revenue generation. [1]
- TraderTraitor (Jade Sleet / UNC4899) — recent exchange mega-thefts (see its own entry).
- Contagious Interview / UNC4736 (AppleJeus, Citrine Sleet) — fake-recruiter malware (see its own entry).
A February 2021 U.S. indictment alleged these RGB units operated as "a single conspiracy." [2]
Early operations (pre-crypto)
Lazarus is linked to a string of landmark intrusions: the 2014 Sony Pictures Entertainment hack; the February 2016 Bangladesh Bank heist, in which attackers used compromised SWIFT credentials to issue 35 fraudulent transfer requests totaling ~$951 million (most were blocked, but ~$81 million was taken and laundered through Philippine casinos); and the 2017 WannaCry ransomware outbreak. The Bangladesh heist marked a turning point — a nation-state stealing for profit. [2][6]
Pivot to cryptocurrency
From around 2017, Lazarus increasingly targeted cryptocurrency. Campaigns such as "AppleJeus" distributed trojanized trading apps, and the group went after exchanges, cross-chain bridges, DeFi protocols, wallet software, and individual holders. U.S. and UN officials assess the proceeds fund North Korea's nuclear-weapons and ballistic-missile programs.
Linked scams & cases
- Ronin Network bridge hack (Axie Infinity)Attributed actorProjectsThe Ronin bridge behind the game Axie Infinity was drained of about $625M in ETH and USDC in March 2022 after attackers obtained validator keys. U.S. authorities attributed the theft to North Korea's Lazarus Group, and OFAC sanctioned the wallet.
- Harmony Horizon Bridge hackAttributed actorProjectsHarmony's Horizon bridge was exploited for about $100M in June 2022 after attackers compromised multisig signing keys. The FBI later attributed the theft, along with the Ronin hack, to North Korea's Lazarus Group.
- KuCoin hack
Sources (8)
- Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups — U.S. Department of the Treasury
- 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme (>$1.3B) — U.S. DOJ / Secret Service
- North Korea Responsible for $1.5 Billion Bybit Hack — U.S. FBI
- $2.2 Billion Stolen in Crypto in 2024 (DPRK $1.34B) — Chainalysis
- 2025 Crypto Theft Reaches $3.4 Billion (DPRK cumulative ~$6.75B) — Chainalysis
- The Lazarus heist: How North Korea almost pulled off a billion-dollar hack — BBC News
- North Korea-linked Atomic Wallet heist tops $100 million — Elliptic
- Lazarus Group Pulled Off 2020's Biggest Exchange Hack (KuCoin) — Chainalysis
See also
- Heather MorganIndividualsAn entrepreneur and rapper known as 'Razzlekhan' who helped her husband Ilya Lichtenstein launder bitcoin stolen in the 2016 Bitfinex hack. She pleaded guilty in 2023 and was sentenced in November 2024 to 18 months in prison.
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groups
This page was last updated on Jun 8, 2026. View revision history.