North Korea's Crypto Hacking Machine: How the Lazarus Group Steals and Launders Billions

## What Is the Lazarus Group and Why Does North Korea Hack Crypto? The Lazarus Group is a state-sponsored advanced persistent threat (APT) unit operating under North Korea's Reconnaissance General Bureau (RGB), the primary intelligence apparatus of the Democratic People's Republic of Korea (DPRK). Unlike financially motivated cybercriminal gangs, Lazarus Group functions as a government instrument: its stolen cryptocurrency directly finances the DPRK's ballistic missile and nuclear weapons programs, providing an estimated 40–50% of the regime's hard-currency income according to a 2023 United Nations Panel of Experts report. The group has been active since at least 2009, but pivoted aggressively toward cryptocurrency targets after 2017 when international sanctions cut off North Korea's traditional financial channels. Understanding Lazarus Group is foundational to crypto compliance because their wallets, techniques, and laundering infrastructure represent the highest-tier threat in blockchain financial crime today. The scale of DPRK crypto theft is quantifiably massive. Chainalysis reported that North Korean hackers stole approximately $1.7 billion in cryptocurrency in 2022 alone, making it the most prolific year on record at that time. That figure was surpassed in subsequent years: the 2024 Chainalysis Crypto Crime Report estimated that DPRK-linked groups have stolen over $3 billion in total since 2017. The February 2025 Bybit hack — the single largest crypto theft in history — attributed to Lazarus Group added approximately $1.5 billion to that cumulative total, fundamentally resetting the scale of what nation-state crypto crime looks like. These are not opportunistic crimes; they are systematic, intelligence-driven operations executed with military precision against carefully chosen targets. ## How Does the Lazarus Group Execute Crypto Heists? Lazarus Group attacks follow a consistent operational playbook that combines sophisticated social engineering, zero-day exploit deployment, and deep pre-attack reconnaissance. The group's most common initial access vector is spear-phishing: operatives pose as venture capitalists, recruiters, or protocol contributors on LinkedIn, Discord, and Telegram, sending malicious PDF files or fake job offers that deploy custom malware strains including AppleJeus, TraderTraitor, and BLINDINGCAN. Once inside a target organization's network, the group moves laterally, harvests private keys or compromises multi-signature wallet infrastructure, and executes withdrawals in a single coordinated event designed to outpace incident response. The Ronin Network bridge hack in March 2022 — which resulted in a loss of $625 million, the largest DeFi exploit at the time — exemplifies this methodology. Lazarus operatives compromised five of the nine validator nodes that controlled the Ronin bridge by targeting Sky Mavis (Axie Infinity's developer) employees with fraudulent job offers. A senior engineer downloaded a malicious PDF that gave attackers persistent access to internal systems. Over several months, the attackers gained control of validator private keys and drained 173,600 ETH and 25.5 million USDC before the theft was discovered six days later. The delayed discovery gave the group a critical laundering head start. The US Treasury's Office of Foreign Assets Control (OFAC) subsequently attributed the hack to Lazarus Group and sanctioned associated wallet addresses in April 2022 (Treasury.gov, April 14, 2022). The Harmony Horizon Bridge hack in June 2022 followed an almost identical pattern. Attackers compromised two of five multi-signature keys controlling the bridge, draining $100 million in assets including ETH, BNB, USDC, and DAI. The FBI formally attributed this attack to Lazarus Group in January 2023. The Atomic Wallet hack in June 2023 was different in scale and attack vector — it involved a supply-chain compromise or user-device attack affecting individual wallet holders — but resulted in losses exceeding $100 million and was similarly attributed to DPRK-linked actors by blockchain forensics firms including Elliptic and TRM Labs. The pattern across all three incidents is consistent: target infrastructure with weak multi-signature governance, execute a single decisive withdrawal event, and immediately begin laundering. ## What Happened in the 2025 Bybit Hack? The February 21, 2025 Bybit hack represents a qualitative escalation in both scale and technique. Approximately $1.5 billion in stETH, mETH, and other liquid staking tokens was drained from Bybit's Ethereum cold wallet in a single transaction sequence. Blockchain forensics firms including Chainalysis, TRM Labs, and ZachXBT attributed the attack to Lazarus Group within 48 hours, with ZachXBT publishing on-chain evidence connecting the attacker wallets to previously confirmed DPRK infrastructure. The FBI formally attributed the hack to the TraderTraitor cluster — a Lazarus sub-group — on February 26, 2025. What made the Bybit attack technically remarkable was the social engineering of the Safe{Wallet} multi-sig interface itself. Attackers compromised the developer infrastructure of Safe (formerly Gnosis Safe), injecting malicious JavaScript into the signing interface that Bybit's operations team used. When Bybit signers approved what appeared to be a routine internal transfer, they were unknowingly signing a transaction that replaced the wallet's master contract with a malicious version. This blind-signing attack defeated hardware wallet protections because the transaction displayed as legitimate to the signers. It represents the most sophisticated known application of UI-layer social engineering against institutional crypto infrastructure to date, and prompted immediate industry-wide reviews of multi-signature governance procedures at exchanges and custodians. | Hack | Date | Amount Stolen | Attack Vector | OFAC Action | |------|------|--------------|---------------|-------------| | Ronin Bridge | March 2022 | $625M | Compromised validators via spear-phishing | Sanctioned April 2022 | | Harmony Bridge | June 2022 | $100M | Compromised multi-sig keys | FBI attribution Jan 2023 | | Atomic Wallet | June 2023 | $100M | Supply-chain / device compromise | TRM/Elliptic attribution | | Stake.com | September 2023 | $41M | Compromised hot wallet keys | FBI attribution Sept 2023 | | Radiant Capital | October 2024 | $50M | Malicious PDF, device compromise | TRM attribution Oct 2024 | | Bybit | February 2025 | ~$1.5B | Safe UI supply-chain attack | FBI attribution Feb 2025 | ## How Does North Korea Launder Stolen Cryptocurrency? The laundering of DPRK-stolen funds is a sophisticated multi-stage process designed to break the on-chain traceability that blockchain analytics enables. The primary tools and techniques used by Lazarus Group for laundering have been documented extensively by OFAC, the FBI, and private blockchain intelligence firms, and include mixing services, cross-chain bridging, over-the-counter (OTC) brokers, and nested exchange accounts in jurisdictions with weak AML enforcement. Tornado Cash was the dominant mixing tool used for DPRK laundering from 2020 through 2022. Tornado Cash is an Ethereum-based smart contract mixer that breaks the link between deposit and withdrawal addresses by pooling funds. OFAC sanctioned Tornado Cash in August 2022 specifically citing its use to launder over $455 million stolen by Lazarus Group (Treasury.gov, August 8, 2022). Despite the sanctions — and the subsequent prosecution of Tornado Cash developer Roman Storm in the United States — on-chain data shows DPRK-linked wallets continued to use Tornado Cash contracts after sanctions were imposed, reflecting the technical limitation of smart contract sanctioning. Post-Bybit, blockchain analytics firms tracked portions of the stolen funds moving through Tornado Cash within days of the hack. Chain-hopping, also called cross-chain bridging, is the second primary laundering technique. Attackers convert stolen assets to a native chain asset (typically ETH or BNB), then use decentralized bridges or cross-chain swap aggregators to move funds across multiple blockchains in rapid succession — from Ethereum to Tron to Bitcoin to Avalanche — specifically to exploit gaps in cross-chain monitoring. Each bridge hop creates a new transaction graph that analysts must stitch together across different blockchain data sources. A 2023 TRM Labs report identified that DPRK-linked groups used at least seven different bridge protocols in laundering operations that year. The Ronin hack proceeds were converted through renBTC to Bitcoin, then layered through Bitcoin mixing services, demonstrating a preference for Bitcoin's liquidity and the maturity of its OTC market for final cash-out. The final cash-out layer historically involved OTC desks and nested exchanges in East Asia — particularly in China — that facilitate cryptocurrency-to-fiat conversion without KYC documentation. The US Department of Justice indicted two Chinese nationals, Tian YinYin and Li Jiadong, in 2020 for laundering over $100 million in funds stolen by Lazarus Group through OTC transactions and bank accounts. More recently, OFAC and the DOJ have targeted virtual asset service providers (VASPs) in jurisdictions including the UAE and Southeast Asia that have processed DPRK funds, reflecting a geographic shift in the cash-out infrastructure as law enforcement pressure on Chinese OTC networks intensified. ## What Are the OFAC Sanctions on Lazarus Group Wallets? OFAC's Specially Designated Nationals (SDN) list is the primary US regulatory instrument for addressing DPRK crypto activity, and it now contains hundreds of cryptocurrency addresses linked to Lazarus Group and associated sub-clusters including APT38, BlueNoroff, and Stardust Chollima. The initial OFAC designation of Lazarus Group itself as an SDN occurred in September 2019 under Executive Order 13722, which authorizes sanctions against entities supporting North Korea's weapons of mass destruction programs. Critically, OFAC clarified in 2021 that US persons are prohibited from processing transactions involving sanctioned cryptocurrency addresses — meaning that any exchange, wallet provider, or DeFi protocol with US nexus must screen against the SDN list in real time. The practical compliance obligation for VASPs is significant. OFAC's October 2022 guidance on virtual currency sanctions compliance stated explicitly that blockchain analytics tools are an expected component of a compliance program for entities operating in the crypto space (Treasury.gov, October 15, 2022). Receiving funds traceable to an OFAC-sanctioned address — even through multiple hops — can constitute a sanctions violation under strict liability standards, meaning intent is not required for a violation finding. This is sometimes called "indirect sanctions exposure" or the "proximity risk" problem, and it is the direct reason why automated blockchain transaction screening has become a regulatory necessity rather than a best practice. | OFAC Action | Date | Target | Amount Linked | |-------------|------|--------|---------------| | Lazarus Group SDN designation | September 2019 | Lazarus Group / RGB | Multiple wallets | | Ronin Bridge wallet sanctions | April 2022 | 0x098b716... (ETH) | $625M | | Tornado Cash sanctions | August 2022 | 45 smart contract addresses | $455M+ (DPRK portion) | | OTC broker network | May 2023 | Three entities, UAE/China | $21M | | Sinbad mixer sanctions | November 2023 | Sinbad.io | $100M+ (DPRK) | | TraderTraitor cluster update | February 2025 | 52 new ETH/BTC addresses | Bybit proceeds | ## How Do Blockchain Analytics Tools Trace DPRK-Linked Funds? Blockchain analytics is the technical countermeasure to Lazarus Group laundering operations, and platforms like Defy represent the operational implementation of this capability for compliance teams at exchanges, custodians, and payment providers. The core methodology involves cluster analysis — the grouping of addresses likely controlled by the same entity based on on-chain behavioral signals — combined with attribution databases that tag known Lazarus Group infrastructure, OTC cash-out wallets, and mixing service deposit addresses. Defy's AML scanning engine evaluates incoming and outgoing transactions against a continuously updated database of DPRK-attributed wallet clusters, sanctioned addresses from the OFAC SDN list, and mixer/bridge contracts known to be used in North Korean laundering patterns. When a transaction touches funds traceable to Lazarus Group activity within a configurable hop distance, the system generates a real-time risk alert that allows compliance officers to freeze the transaction, file a Suspicious Activity Report (SAR), and notify relevant regulators before asset settlement. This is categorically different from manual blockchain investigation, which cannot operate at the transaction speed or address volume required for institutional-scale compliance. The specific signals that distinguish DPRK-linked fund movements from ordinary transaction flow include: unusually large single-transaction ETH or ERC-20 withdrawals from bridge contracts to newly created wallets with no prior history; rapid sequential swaps through DEX aggregators consistent with cross-chain laundering patterns; deposits into Tornado Cash-type privacy pools within hours of a known hack event; and transaction timing and gas price patterns that match previously documented Lazarus operational windows. Defy's risk scoring engine weights these signals to produce a composite risk score per transaction and per counterparty, enabling tiered responses — enhanced due diligence for medium-risk counterparties, automatic hold for high-risk transactions, and SAR filing workflows for OFAC-proximate exposures. Fund tracing across chains — the answer to the chain-hopping problem — requires cross-chain graph analytics that can follow an asset's provenance from its origin chain through bridge transactions to its current form on a destination chain. Defy's investigation module provides this capability, allowing analysts to reconstruct the complete provenance path of suspicious funds even after multiple bridge hops and token swaps. This was directly relevant in the Bybit hack response: within 72 hours of the theft, blockchain analytics firms had traced the movement of funds across Ethereum, Bitcoin, and multiple Layer 2 networks, providing the evidentiary basis for exchange freezes that recovered a portion of the stolen assets. ## What Role Does Travel Rule Compliance Play in Stopping DPRK Fund Flows? The Financial Action Task Force (FATF) Travel Rule — Recommendation 16 — requires VASPs to collect and transmit originator and beneficiary identity information with cryptocurrency transfers above threshold amounts (typically $1,000 or $3,000 depending on jurisdiction). For DPRK fund laundering interdiction, Travel Rule compliance serves as a critical identity-layer checkpoint that blockchain analytics alone cannot fully address: while blockchain analytics can flag suspicious wallet addresses, Travel Rule compliance determines whether the controlling entity behind those wallets can be identified and verified. Lazarus Group's laundering operations systematically exploit Travel Rule compliance gaps. When stolen funds move through jurisdictions or VASPs that do not implement Travel Rule — particularly in Southeast Asia, the UAE, and through unhosted wallet infrastructure — the identity thread is broken. A VASP that receives Travel Rule information falsely claiming a transaction originates from a legitimate institutional counterparty when it actually originates from a North Korean-controlled wallet has been deceived into approving a prohibited transaction. This is why effective Travel Rule compliance requires both the transmission of identity data and the verification of that data against risk signals — including the blockchain analytics data that can flag the sending wallet as DPRK-proximate before the Travel Rule message is accepted. Defy's Travel Rule module integrates with major Travel Rule protocol providers (TRP, TRISA, OpenVASP) and cross-references incoming Travel Rule messages against the same OFAC and DPRK risk signals used in transaction screening. This means that a transfer accompanied by a Travel Rule message from a registered VASP but sourced from a wallet with DPRK exposure will still be flagged, preventing the regulatory cover of formal Travel Rule compliance from being exploited to move sanctioned funds. The FATF October 2021 updated guidance on virtual assets explicitly identified this layered approach — combining Travel Rule verification with blockchain analytics — as the expected standard for high-risk counterparty management in the VASP sector. ## What Should Crypto Businesses Do to Manage DPRK Exposure Risk? For exchanges, custodians, DeFi protocols, and payment providers, the DPRK threat translates into a specific set of compliance obligations and risk management practices that go beyond standard AML frameworks. The first requirement is real-time transaction screening against an OFAC SDN-linked address database that is updated within hours of new designations — not daily or weekly. The Bybit hack demonstrated that sanctioned wallet addresses are published by OFAC within days of a major event, and VASPs that cannot ingest and apply those updates rapidly face both regulatory exposure and reputational risk from processing hack proceeds. The second requirement is counterparty due diligence that incorporates blockchain provenance analysis for high-value deposits. A single large deposit from a newly created wallet with no transaction history and a provenance path traceable to a recent high-profile hack should trigger enhanced review before the funds are credited, regardless of any accompanying documentation. Third, multi-signature governance infrastructure — particularly for institutional custodians and bridge operators — must be reviewed against the attack patterns demonstrated in Bybit and Ronin: hardware wallet protections are insufficient if the signing interface itself is compromised, and blind-signing of contract interactions should be operationally prohibited. Defy provides the technical infrastructure for all three of these requirements in an integrated platform: real-time transaction scanning with OFAC and DPRK-specific risk models, blockchain provenance investigation tools for deep counterparty due diligence, and Travel Rule compliance workflows with integrated risk screening. For compliance teams operating in the current threat environment — where a single state-sponsored attack can generate $1.5 billion in illicit funds that will systematically probe every VASP's screening capability — the question is not whether to implement blockchain analytics-led AML compliance, but how quickly it can be operationalized. --- *Sources: Chainalysis Crypto Crime Report 2024; UN Panel of Experts on DPRK Report S/2023/171; OFAC SDN Designations (Treasury.gov); FBI Public Service Announcement 2023-01-23; TRM Labs DPRK Threat Intelligence 2023–2025; ZachXBT on-chain analysis, February 2025; FATF Guidance on Virtual Assets and VASPs, October 2021; US DOJ Indictment United States v. Park Jin Hyok (2018); US DOJ Indictment United States v. Tian YinYin and Li Jiadong (2020).*