Who Is Lazarus Group? – The North Korean Group Terrorizing The Crypto Industry

In the shadowy corridors of cyberspace, where governments and rogue entities wage silent wars, one name frequently surfaces veiled in enigma: the Lazarus Group. A clandestine operation linked to North Korea, this group has left a digital trail of destruction, siphoned millions from global banks, and unleashed cyber-attacks on critical infrastructures across the world. This investigative report delves into the labyrinth of questions surrounding this cybercrime behemoth, decoding its methods, scrutinizing its impacts, and questioning the global attempts to curb its activities.

[embedded content]

The Enigma of Lazarus Group

Known by various monikers including the Guardians of Peace, Whois Team, Hidden Cobra (a title bestowed by the U.S. Department of Homeland Security), and Zinc (as named by Microsoft), the Lazarus Group is a cybercrime syndicate of unidentified size, operating under the aegis of the North Korean government. Although initial activities were mostly criminal in nature, the organization’s recent attacks have elevated it to the status of an advanced persistent threat, showcasing its capability to engage in long-term, targeted cyber-operations.

While North Korea generally doesn’t acknowledge its role in global cyber warfare, a defector by the name of Kim Kuk-song revealed that the group is internally recognized as the “414 Liaison Office” within North Korean corridors. These cyber operations offer North Korea an asymmetric advantage, requiring only a small team of operators to wield considerable influence and threat, particularly against its southern neighbor.

The Early Offensives

Tracing back to their earliest known operation, aptly named “Operation Troy,” which spanned from 2009 to 2012, the Lazarus Group targeted the South Korean government with distributed denial-of-service (DDoS) attacks. As their techniques evolved, they orchestrated more sophisticated attacks, including the globally infamous assault on Sony Pictures in 2014.

The Financial Heists

Over the years, the group’s activities have not been limited to espionage or governmental sabotage; they have financially crippled organizations as well. Reports indicate successful heists that range from stealing $12 million from Ecuador’s Banco del Austro to an audacious $81 million raid on Bangladesh Bank. They’ve also targeted banks in Poland, Mexico, and Taiwan, amassing millions, some of which have been recovered. This criminal group has been very active in the cryptocurrency sphere as well, confirmed to have stolen well over $47 million in crypto until today.

Shadowy Affiliations and Sub-groups

Cybersecurity firms like Kaspersky Lab have further dissected the Lazarus Group, revealing sub-entities like Bluenoroff, specializing in financial cyber-attacks. But as with all things Lazarus, the truth is layered in complexities. Kaspersky cautioned that their operational codes could be ‘false flags,’ designed to mislead investigators, thereby entangling the narrative surrounding their true identity and North Korean affiliations.

Adding another layer of complexity, the group is believed to have been behind the global WannaCry ransomware attack, leveraging an NSA exploit known as EternalBlue. While Symantec reported that it was “highly likely” Lazarus was involved, the true extent of their participation in global cyber-attacks remains veiled in secrecy and speculation.

Intricately woven with deceptions and continuously morphing tactics, the Lazarus Group remains a high-stakes enigma in the world of cybercrime and cyber warfare. As we continue this investigative deep dive, we’ll strive to separate myth from reality, all while understanding that in the world of Lazarus, nothing is ever as it seems.

The Genesis of Lazarus

The genesis of the Lazarus Group can be traced back to as early as 2009, with their first known operation dubbed “Operation Troy.” Initially, their attacks were somewhat rudimentary, employing unsophisticated DDoS techniques aimed primarily at the South Korean government.

Despite these humble beginnings, the group quickly evolved. Originally a criminal syndicate, Lazarus has since been elevated to the status of an advanced persistent threat, engaging in increasingly complex and damaging operations. Their transformation over time has been alarming, both in terms of technical prowess and their audacity to target governments and financial institutions globally.

Is Lazarus a Government-Backed Criminal Group?

The Lazarus Group, also known by its Advanced Persistent Threat designation APT38, is more than just a shadowy organization of rogue hackers. Recent reports from cybersecurity firms like Cisco Talos point to a highly sophisticated and evolving apparatus with ties to the North Korean government. The group’s latest activities include the deployment of two new Remote Access Trojans (RATs), targeting critical infrastructures and healthcare systems in Europe and the United States.

What sets Lazarus apart from other cybercriminal groups is their rapid adaptation to new vulnerabilities. For instance, the group exploited a critical flaw (CVE-2022-47966) in ManageEngine ServiceDesk within days of the availability of a proof-of-concept exploit. This shows not just agility but also a level of organization and resource allocation that is consistent with state-sponsored activities. Moreover, their toolset—known malware families such as MagicRAT, VSingle, YamaBot, and TigerRAT—have all been previously attributed to Lazarus by government agencies in Japan and Korea.

This evolution of tactics is alarming. The new RAT, named QuiteRAT by Talos researchers, is streamlined, compact, and yet almost as powerful as its predecessor, MagicRAT. QuiteRAT can execute commands and deploy additional payloads remotely, making it a potent weapon for cyber espionage and sabotage.

The verdict is pretty much clear: Lazarus is not just a criminal group but a state-sponsored hacking team, serving the geopolitical and strategic interests of North Korea.

Who is Lazarus Group Targeting?

It would be an understatement to say that Lazarus is casting a wide net. Earlier documented campaigns have targeted energy providers in the United States, Canada, and Japan. However, their exploits now extend beyond energy, reaching into the critical sectors of healthcare and internet backbone infrastructure.

The group’s focus on essential sectors indicates a strategic selection of targets that align with political and economic vulnerabilities. They appear to be focusing on crippling or compromising systems that would have the most immediate and far-reaching consequences if disabled. And it’s not just about espionage; they also aim to disrupt.

What’s concerning is that the Lazarus Group doesn’t shy away from evolving its arsenal to better match its targets. For instance, while investigating QuiteRAT, researchers discovered another RAT named CollectionRAT, linked to earlier North Korean cyber activities. CollectionRAT was designed to collect identifying system information and relay it back to command-and-control servers. This ever-evolving, highly targeted approach suggests that Lazarus isn’t merely opportunistic but is working off a playbook that reflects long-term objectives.

Political Implications of Lazarus

The activities of Lazarus Group are not isolated events but parts of a larger geopolitical landscape. Operating as a state-sponsored entity, the group reflects North Korea’s foreign policy objectives which, in essence, seek to challenge the existing world order. The group’s advanced persistent threats have both immediate and long-term consequences.

In the short term, attacks on critical infrastructure in healthcare and energy sectors can have catastrophic humanitarian implications. They also create a destabilizing effect that can serve North Korea’s interests by distracting or compromising the capabilities of adversary nations.

Long-term, these activities signify a bold strategy by North Korea to employ asymmetrical warfare methods. Cyber operations offer a low-cost, high-reward avenue for North Korea to assert its influence and challenge its enemies, especially more technologically advanced nations like the United States and its allies. Furthermore, cyber espionage enables North Korea to acquire sensitive information that could be used in traditional forms of warfare or as a bargaining chip in international negotiations.

Lastly, the consistent upgrading and evolution of malware tools signify that this is an ongoing initiative with sustained backing and development. As long as Lazarus remains active, it serves as a constant reminder of the increasingly blurry lines between criminal activities and statecraft in the digital age.

Lazarus in the Cryptocurrency Industry

The Lazarus Group is feared in the cryptocurrency industry as well. This criminal group based in North Korea is accountable for some of the biggest cryptocurrency thefts of all time. Until today, experts estimate that over $1 billion in crypto has been stolen from Lazarus. More accurate reports, however, show that the group is accountable for at least $240 million in stolen crypto.

List of Lazarus Crypto Hacks

  • Atomic Wallet (~$100 million)
  • CoinsPaid (~$37 million)
  • Alphapo (~$60 million)
  • Stake.com (~$41 million)
  • CoinEx (~$54 million)
  • Ronin Network (~540 million)

Lazarus Group’s Way of Laundering Crypto

The Lazarus Group’s tactics in the realm of cryptocurrency laundering are both sophisticated and adaptive. One of their more recent stratagems involves exploiting the anonymity of Tornado Cash, a smart contract-based mixing service on the Ethereum blockchain, to launder massive amounts of stolen crypto. An internal analysis by Elliptic reveals that as of April 14th, the group successfully laundered 18% of their illicit funds, employing a blend of decentralized and centralized techniques.

Wallets & Transactions of Lazarus Group. Source: Elliptic

Initially, the attackers started by converting stolen USDC to ETH using decentralized exchanges (DEXs). The move was shrewd, designed to evade the stringent anti-money laundering (AML) and ‘know your customer’ (KYC) regulations that centralized exchanges adhere to. Stablecoins like USDC can be frozen by their issuers, making them less than ideal for illicit activities. By using DEXs, the group could swap these stablecoins for ETH, a cryptocurrency less susceptible to seizure. This tactic has increasingly become the norm in the decentralized finance (DeFi) criminal landscape, as noted in Elliptic’s report on the rise of “DeCrime.”

Surprisingly, the group then took an unconventional step by laundering $16.7 million worth of ETH through three centralized exchanges, despite these platforms having rigorous AML procedures. This act was a deviation from typical DeFi exploits but consistent with previous actions linked to the Lazarus Group.

Leveraging Tornado Cash

However, when exchanges declared their intention to cooperate with law enforcement, the group shifted its strategy again, this time embracing Tornado Cash. The platform is designed to obfuscate the origins of transactions, making it a perfect tool for money laundering. To date, transactions totaling $80.3 million worth of ETH have been sent through Tornado Cash by the group.

The Lazarus Group’s calculated use of Tornado Cash underscores the evolving complexity of cybercrime in the cryptocurrency space. It demonstrates the group’s ability to dynamically adapt to risks and roadblocks, showing that the fight against crypto-based financial crime is far from straightforward. Authorities and exchanges must continually adapt to these sophisticated techniques to curb the illicit flow of funds effectively.


  • State-Sponsored Operations: Lazarus Group is not just a criminal organization but is backed by the North Korean government, making it a formidable advanced persistent threat (APT).
  • The group has targeted various sectors, including healthcare, energy, crypto, and financial institutions, indicating a broad agenda that goes beyond simple financial gain.
  • The group constantly evolves its hacking techniques, as seen with the development of new Remote Access Trojans (RATs) like QuiteRAT and MagicRAT.
  • Lazarus Group employs sophisticated methods to evade detection, such as swapping stolen stablecoins for ETH through decentralized exchanges to bypass AML and KYC checks.
  • The group has successfully executed high-profile financial heists, including a significant $81 million theft from Bangladesh Bank and using Tornado Cash for laundering.
  • Lazarus Group has been terrorizing the crypto industry for years. One of the biggest attacks done by Lazarus on the crypto industry is the Ronin Network hack, where the group got away with $540 million.
  • Despite centralized exchanges’ anti-money laundering obligations, the group still used them for laundering, indicating a high level of confidence and risk-taking in their operations.

Comments are closed.