Inside Lazarus Group: North Korea’s Financial Cyber Army

Behind many of the largest crypto hacks in the past decade sits the same recurring name: Lazarus Group. Its operations have moved from bank theft and exchange breaches into bridges, DeFi protocols, developer infiltration, and supply-chain attacks.

In this article, we will examine how Lazarus became one of the most dangerous cyber threats in crypto, where its capabilities come from, and why defending against it requires more than tracking wallets after an exploit.

What Is the Lazarus Group?

The Lazarus Group is the public name used by Western cybersecurity firms to describe a network of DPRK-linked cyber units operating under North Korea’s military intelligence system. These units are widely associated with the Reconnaissance General Bureau, known as RGB, and its cyber division, Bureau 121.

Lazarus should be understood as a state-directed cyber apparatus rather than an independent criminal organization. Its role extends beyond hacking for profit. It supports North Korea’s need for hard currency, helps the regime offset sanctions pressure, and turns cyber operations into a strategic revenue channel.

This distinction matters. When Lazarus is treated as only a sophisticated hacker group, defense tends to focus on attribution, wallet tracking, and post-incident investigation. When Lazarus is understood as a state-backed financial warfare unit, the priority shifts toward exposure limits, operational resilience, access control, and system design built to withstand repeat attacks.

Why Does North Korea Have Such Strong Cyber Capabilities?

The answer is counterintuitive: North Korea’s cyber strength emerged from isolation and scarcity. Since the late 1980s, the regime has built a centralized talent pipeline that identifies technically gifted students early, trains them inside state institutions, and directs a disproportionate share of elite technical talent into military cyber units.

Unlike open economies, North Korea has almost no private technology sector competing for skilled engineers. Operators also face coercive retention mechanisms, which can keep them inside the same state-run system for years. As a result, cyber capability becomes concentrated, institutionalized, and difficult to disrupt.

This article examines 2 core questions: who Lazarus actually is, and why North Korea’s political and economic structure gave it such unusual cyber power.

Argument 1: Lazarus Functions as a Financial Warfare Unit

How many subgroups does Lazarus have, and what do they do?

Lazarus is often used as an umbrella label for several DPRK-linked cyber clusters. Cybersecurity firms may classify these clusters differently, yet most reporting points to a coordinated state system with separate missions.

Some units focus on direct theft from banks and crypto exchanges. Others specialize in fake job interviews, developer infiltration, ransomware, military targeting, or diplomatic spearphishing. This division matters because Lazarus doesn’t operate like a loose hacker circle chasing random targets. It works like a state cyber apparatus, with different teams assigned to different strategic objectives.

Which North Korean government body does Lazarus report to?

Lazarus operates under the Reconnaissance General Bureau, known as RGB, North Korea’s military intelligence agency. Public reporting also links DPRK cyber activity to Bureau 121, a cyber unit based in Pyongyang with overseas operating nodes in China, Russia, and parts of Southeast Asia.

This command structure matters because Lazarus sits inside a state military system. Russian, Chinese, and Iranian cyber actors often operate through mixed models involving contractors, civilian cover, military agencies, or state-linked networks. DPRK cyber operators appear more tightly embedded in a military chain, with salaries, discipline, and long-term state control shaping how they operate.

Lazarus therefore functions less like a loose hacker network and more like a military cyber arm built to generate hard currency, gather intelligence, and support North Korea’s sanctions-evasion strategy.

How large is Lazarus compared with North Korea’s economy?

Public estimates suggest DPRK cyber operations have become a major hard-currency channel for the regime. UN sanctions reporting has indicated cyber activity generated a large share of North Korea’s foreign-currency earnings in recent years, while later sanctions analysis reached a similar conclusion: cybercrime now plays a central role in Pyongyang’s external revenue strategy.

The scale is unusually large. In 2025, DPRK-linked hackers stole $2.02 billion in crypto, according to Chainalysis. Measured against North Korea’s estimated 2024 output near $26.6 billion (Bank of Korea), this equals roughly 7–8% of national output. For a heavily sanctioned economy with limited access to global trade, this turns cyber theft into a strategic financial instrument rather than a side operation.

This is what separates North Korea from other cyber powers. China, Russia, and Iran use cyber operations for espionage, sabotage, influence, and strategic leverage. North Korea also uses cyber operations as a revenue engine. Lazarus is therefore best understood as a state-sponsored financial warfare unit, built to convert digital attacks into hard currency for the regime.

Timeline of Major Lazarus Operations: 2016 to Present

The sustained cadence and accelerating scale over time are the unmistakable hallmarks of a national program, not opportunistic criminal activity.

Confirmed total across verified attributions: approximately $6.75 billion through end of 2025 (Chainalysis 2026 Crypto Crime Report; corroborated by TRM Labs and DOJ filings). The scale curve accelerates sharply from 2022 onward: while the largest single operation before 2022 was $530M (Coincheck, 2018), just a few years later Bybit lost $1.5 billion in a single day (FBI attribution, February 2025).

Argument 2: DPRK’s Attack Capability Comes from Isolation, Not Despite It

How does a country with no public internet produce world-class hackers?

Because North Korea’s talent pipeline began in 1986, before the World Wide Web existed, and has always been fully nationalized, facing zero competition from any private sector. Mirim College (now Kim Il Military University) selects students from age 11 through nationwide mathematics, physics, and foreign language examinations. Only students from families classified as “core loyal” under the songbun social stratification system are eligible.

From Mirim, the highest performers enter Kim Il-sung University or Kim Chaek University of Technology, then proceed directly into RGB’s cyber units. Approximately 200–300 individuals complete this full pipeline each year (Recorded Future Insikt Group; CCDCOE estimates).

5 mechanisms turning isolation into cyber advantage

The 5 mechanisms below didn’t come from a single deliberate strategy. They emerged from North Korea’s totalitarian structure and isolation. Together, they create a cyber-offense environment with concentrated talent, low labor mobility, weak domestic legal risk, and unusually high economic returns.

1. Absolute domain focus. In a typical country, a mathematically gifted person has dozens of career paths: finance, AI, cybersecurity, startups. In North Korea, the only route to a “relatively good life” for a technically talented individual is cyber offense. The result: nearly all of a nation’s top-tier talent is concentrated in a single program, a concentration few if any states match.
2. Zero labor friction. Lazarus operators face no labor laws, no working-hour limits, no burnout culture. They operate 24/7 in rotating shifts. Timezone analysis by Chainalysis and Mandiant across major attacks (Chainalysis 2024 DPRK report; Mandiant APT38 threat report) shows Lazarus is most active during UTC 14:00–04:00, precisely aligned with North American crypto company business hours and Asian company end-of-day.
3. Zero domestic legal friction. Russian state hackers (such as Mikhail Matveev, also known as Wazawaka) can be abandoned by Russia itself if international investigations dig deep enough. Chinese hackers in APT1 were given civilian cover before DOJ indictments arrived. For North Korea, this scenario never exists: the state never surrenders its operators. They conduct operations with no risk of legal consequence trailing them home.
4. Absolute talent retention. In Silicon Valley or Beijing, a strong developer with a $500K/year offer can switch employers every year. In North Korea, exit isn’t an option: leaving the unit is equivalent to defection, with consequences extending to 3 generations of family under the yeonjwaje collective punishment principle. The result: operators remain in their units for 15–20 years, accumulating institutional knowledge at a depth no industry can sustain.
5. Extraordinary economic margin. Lazarus operators generate tens of millions of dollars per year in value delivered to the state. Their actual compensation: a few hundred dollars per month, military housing, and food rations. The margin between value created and personnel cost is among the highest of any industry in the world, and it allows the DPRK to invest in infrastructure (VPN chains, proxy networks, malware labs, synthetic identities) at a scale wildly disproportionate to its overall GDP.

What role do DPRK overseas IT workers play?

DPRK overseas IT workers give North Korea 2 advantages: revenue and access. Public U.S. advisories describe thousands of North Korean IT workers using false identities to win remote jobs across software, crypto, and technology companies.

On the surface, they appear to be freelance developers working through global hiring platforms. In practice, much of their income is sent back to Pyongyang. This gives the regime a steady hard-currency stream outside normal trade channels.

Their second role is more dangerous for crypto. When a DPRK-linked worker enters a crypto company, DeFi protocol, or software vendor, they can collect internal information, study security controls, and expose weak points for later attacks. This turns ordinary hiring risk into a national-security problem for digital asset companies.

Why has the “sanctions will strangle Lazarus” strategy failed?

Sanctions limit North Korea’s access to legal hard-currency channels. Yet this pressure also increases Pyongyang’s incentive to invest in cyber theft. As legitimate revenue paths shrink, cyber operations become more valuable to the regime.

This creates a reversed causal loop: stronger sanctions increase the need for hard currency, which increases investment in Lazarus-linked operations. Instead of weakening cyber activity, isolation can make cyber theft more central to North Korea’s financial strategy.

This explains why Lazarus has expanded across banks, exchanges, bridges, DeFi protocols, and software supply chains. The group isn’t operating around sanctions pressure. It is operating because sanctions pressure made cyber revenue strategically important.

How does an asymmetric attack surface work?

North Korea has a very small domestic digital attack surface. Its internal network, Kwangmyong, is largely separated from the global internet, while outside access remains limited to selected officials and cyber personnel.

This creates an asymmetric battlefield. Foreign defenders have few domestic DPRK systems to target, while Lazarus can attack a vast global surface: crypto exchanges, DeFi protocols, cross-chain bridges, wallets, software vendors, developer teams, cloud systems, and hiring pipelines.

The result is a structural advantage. Lazarus can search for one weak point across thousands of connected systems, while defenders must secure every signer, employee account, dependency, validator path, and operational process.

Summary: Understand the Threat Correctly to Defend Against It

Lazarus is difficult to stop through detection, attribution, or prosecution alone. Its state backing gives operators protection while crypto’s open systems give them a wide attack surface. For crypto and DeFi, the practical defense is resilience: limit exposure, isolate failures, protect signing processes, and prepare recovery before the next attack happens.

What this means for DeFi teams right now:

• Cap single-point exposure. The KelpDAO loss flowed from a 1-of-1 verifier; multi-sig signing, multi-verifier setups, and withdrawal time-delays on large transfers turn one compromise into a contained incident rather than a total drain.
• Treat hiring as an attack surface. Vet remote contributors, segment access for new developers, and assume that infiltration, not just code exploits, is now a primary vector.
• Rehearse recovery. Pre-arrange freeze coordination with bridges and L2 security councils, since the window to claw back funds is short and laundering typically completes within roughly 45 days.

Source

• Chainalysis 2026 Crypto Crime Report Introduction - https://www.chainalysis.com/blog/2026-crypto-crime-report-introduction/
• Chainalysis, 2025 Crypto Theft Reaches $3.4 Billion - https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/
• FBI, North Korea Responsible for $1.5 Billion Bybit Hack - https://www.ic3.gov/psa/2025/psa250226
• CISA / FBI / Treasury, TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies - https://www.ic3.gov/CSA/2022/220418.pdf
• Google Cloud / Mandiant, Assessed Cyber Structure and Alignments of North Korea in 2023 - https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023
• CCDCOE, The All-Purpose Sword: North Korea’s Cyber Operations and Strategies - https://www.ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
• Bank of Korea, Gross Domestic Product Estimates for North Korea in 2024 - https://www.bok.or.kr/eng/bbs/E0000634/view.do?menuNo=400423&nttId=10093293
• U.S. Department of Justice, North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions - https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
• U.S. Department of Justice, Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe - https://www.justice.gov/archives/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
• U.S. Treasury, Treasury Sanctions Facilitators of DPRK IT Worker Fraud and Cyber Schemes - https://home.treasury.gov/news/press-releases/sb0416
• FBI, North Korean IT Worker Threats to U.S. Businesses - https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-worker-threats-to-u-s-businesses
• Elliptic, North Korea-Linked Hackers Have Already Stolen Over $2 Billion in 2025 - https://www.elliptic.co/blog/north-korea-linked-hackers-have-already-stolen-over-2-billion-in-2025
• TRM Labs, North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks - https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks
• Reuters, North Korea Laundered $147.5 Million in Stolen Crypto in March, Say UN Experts - https://www.reuters.com/technology/cybersecurity/north-korea-laundered-1475-mln-stolen-crypto-march-say-un-experts-2024-05-14/
• Al Jazeera, North Korea Recruits Hackers at School - https://www.aljazeera.com/features/2011/6/20/north-korea-recruits-hackers-at-school