Lazarus Group Cryptocurrency Theft Tactics and Bitcoin Heists: How North Korea Steals Billions Online

Dec, 2 2025

On February 21, 2025, a single digital transaction stole 1.5 billion dollars in cryptocurrency from Bybit - the largest heist in history. It wasn’t a glitch. It wasn’t a brute-force attack. It was a surgical strike by the Lazarus Group, North Korea’s elite cyberwarfare unit, turning cryptocurrency exchanges into ATM machines for a sanctioned regime. This isn’t just about hackers. This is about a nation using digital theft to fund nuclear weapons.

How Lazarus Group Turns Cold Wallets Into Cash

Most people think cold wallets are unbreakable. They’re offline, encrypted, and protected by multi-signature systems that require three or more approvals to move funds. Lazarus Group doesn’t break them. They trick the people who use them.

In the Bybit heist, attackers didn’t crack encryption. They didn’t brute-force passwords. They sent a fake transaction request to CEO Ben Zhou - one that looked exactly like a routine fund transfer. When he approved it, malware hidden in the Safe Wallet interface silently changed the destination address. Instead of sending funds to a legitimate recipient, the system redirected 401,000 Ethereum - worth $1.46 billion - to a wallet controlled by Lazarus.

This is the core tactic: frontend manipulation. They don’t need to touch the blockchain. They manipulate the user interface, the screen you see when you log in. If you think you’re approving a transfer to your own account, you’re not. You’re approving a transfer to a hacker.

Multi-signature systems, once considered bulletproof, failed because they rely on human judgment. If the person signing off is fooled, the system collapses. Lazarus doesn’t attack code. They attack trust.

The Billion-Dollar Assembly Line

The Bybit heist wasn’t an outlier. Between June and September 2025 alone, Lazarus pulled off five major attacks:

$100 million from Atomic Wallet
$37.3 million from CoinsPaid
$60 million from Alphapo
$41 million from Stake.com
$54 million suspected from CoinEx

Each attack followed the same pattern: target personnel, infiltrate internal tools, exploit trust in transaction approvals, then move funds across chains. But here’s what makes them dangerous: they mix the money.

Funds stolen from Stake.com were sent to wallets previously used for Atomic Wallet theft. CoinEx proceeds flowed through addresses tied to earlier Lazarus operations. This isn’t random. It’s deliberate obfuscation. By blending stolen assets from multiple heists, they make tracking impossible. Blockchain analysts can see the money moving, but not which theft it came from. Law enforcement can’t prove ownership.

They don’t cash out immediately. They hold Bitcoin and Ethereum for months, waiting for market heat to die down. Then they use decentralized exchanges to convert into stablecoins like Dai - which are harder to trace - and slowly launder them through mixers and cross-chain bridges.

The Tools: From LinkedIn to Malware

Lazarus doesn’t rely on phishing emails anymore. That’s too easy to spot. Instead, they use social engineering at scale.

Their TraderTraitor subgroup targets developers and security teams on LinkedIn. They pose as recruiters offering high-paying remote jobs. They build trust over weeks. Then they send a “sample coding task” - a fake trading app that looks legitimate. Once installed, it quietly downloads a remote access trojan called MANUSCRYPT. This malware doesn’t just steal passwords. It scans for cryptocurrency wallet files, browser extensions, and even clipboard data. If you copy a Bitcoin address to paste it somewhere, MANUSCRYPT swaps it with the hacker’s address.

They also use trojanized apps - software that appears to be a legitimate trading tool or wallet, but contains hidden backdoors. The AppleJeus malware, used in 2021, infected exchanges by posing as a trading dashboard. Once inside, it stole API keys and cold wallet access codes.

In 2022, they stole $620 million from Ronin Network (Axie Infinity) by sending a fake job offer PDF to an employee. The PDF contained a malicious script that gave them access to the blockchain’s validator nodes. One person. One file. Half a billion gone.

Why This Keeps Working

Most exchanges focus on securing their infrastructure - firewalls, encryption, intrusion detection. But Lazarus doesn’t care about those. They care about the person clicking the button.

Multi-signature systems assume signers are trustworthy. They’re not. Human error is the weakest link, and Lazarus has turned it into a weapon.

They also exploit timing. Most exchanges move funds between cold and hot wallets during low-traffic hours. Lazarus knows this. They launch attacks when staff are tired, distracted, or working remotely. A single approval, given at 3 a.m., can cost billions.

And there’s no real consequence. North Korea doesn’t extradite hackers. There’s no Interpol warrant that sticks. The U.S. Treasury has sanctioned Lazarus members, but they’re in Pyongyang. Prosecution is impossible. The group operates with total impunity.

What’s Being Done - And Why It’s Not Enough

After the Bybit heist, the exchange recovered $40 million by working with blockchain analysts. They froze some wallets and traced partial movements. But $1.46 billion is still gone.

Some exchanges have started training staff to verify every transaction with a second channel - like a phone call or SMS code - before approving. Others are testing “transaction delay” systems that hold transfers for 24 hours before finalizing.

But these are bandaids. The real problem is deeper: no exchange has rethought how approvals work.

What if you had to physically insert a hardware key to approve a transfer? What if approvals required biometric verification from two different people in separate locations? What if every transaction had to be signed on a device that’s never connected to the internet?

These aren’t sci-fi ideas. They’re basic security principles from military and banking systems. But cryptocurrency exchanges prioritize speed and convenience over security. They want users to move funds instantly. Lazarus counts on that.

A nuclear missile fueled by stolen cryptocurrency rising from a North Korean silhouette amid broken security systems.

The Bigger Threat: Cryptocurrency as a Sanctions Evasion Tool

This isn’t just about theft. It’s about survival.

North Korea is under some of the strictest sanctions in history. They can’t import oil. They can’t export coal. Their banks are cut off from SWIFT. But cryptocurrency? It’s global, borderless, and anonymous.

Lazarus Group isn’t stealing to get rich. They’re stealing to keep the regime alive. The money funds missile programs, chemical weapons, and cyberwarfare units. Every Bitcoin they steal is a step closer to a nuclear-tipped ICBM.

The U.S. and EU have imposed sanctions on crypto exchanges that interact with known Lazarus addresses. But the group uses decentralized exchanges - no KYC, no regulation. They trade through peer-to-peer platforms, privacy coins, and cross-chain swaps. Tracking them is like chasing smoke.

What You Can Do - If You’re Not an Exchange

If you’re a regular crypto user, you’re not the target. But you’re still at risk.

Never install software from unknown sources - even if it looks like a trading tool.
Use hardware wallets. Keep your private keys offline.
Enable multi-factor authentication - but don’t rely on SMS. Use an authenticator app or hardware key.
Double-check every transaction address. Even a single letter difference can mean your funds are gone.
Don’t trust LinkedIn job offers from “crypto firms.” Verify the company independently.

The biggest threat isn’t the code. It’s the belief that digital money is safe because it’s “decentralized.” It’s not. It’s only as secure as the people who use it.

The Future: A New Kind of War

Lazarus Group is the first state-sponsored cybercriminal army to operate at scale in the crypto world. And they’re winning.

They’ve proven that even the most advanced security systems can be bypassed with human manipulation. They’ve shown that sanctions mean nothing when money moves through blockchain. And they’ve made it clear: if you’re building a cryptocurrency platform, you’re not just competing with other exchanges. You’re fighting a nation-state.

The next big heist is already being planned. The only question is: who will be next?

Is the Lazarus Group still active in 2025?

Yes. The Lazarus Group is more active than ever. Between June and September 2025 alone, they carried out at least five confirmed cryptocurrency heists totaling over $290 million, including the $1.5 billion Bybit breach in February. Their operations have intensified as North Korea’s economic isolation deepens, and they show no signs of slowing down.

How do Lazarus Group hackers bypass multi-signature wallets?

They don’t break the multi-signature system itself. Instead, they manipulate the user interface - the app or website you use to approve transactions. By injecting malware into the frontend, they change the destination address of a transaction while making it look legitimate. When a user signs off, they’re approving a transfer to a hacker-controlled wallet, not the intended recipient.

Can blockchain analysis track Lazarus Group funds?

Yes, but it’s extremely difficult. Lazarus mixes funds from multiple heists across different blockchains, making it hard to trace origins. They use decentralized exchanges and privacy tools to convert stolen crypto into stablecoins like Dai, then move them through mixers. While firms like Elliptic have tracked some flows, full recovery is rare because the money is intentionally obscured.

Why hasn’t the U.S. or UN stopped Lazarus Group?

Lazarus operates from North Korea, a country that doesn’t cooperate with international law enforcement. The hackers are protected by the state, and extradition is impossible. Sanctions and indictments don’t work when the perpetrators are in a closed, hostile regime. Without physical access or cooperation from North Korea, legal action is symbolic at best.

Are cryptocurrency exchanges safer now after the Bybit hack?

Some have improved training and added secondary verification steps, but the core vulnerability remains: human approval. Most exchanges still rely on software interfaces that can be manipulated. True security requires physical hardware keys, biometric approvals, and transaction delays - changes that slow down operations. Until exchanges prioritize security over speed, they remain targets.

What’s the connection between Lazarus Group and North Korea’s nuclear program?

Direct and critical. The Center for Strategic and International Studies confirms that Lazarus Group’s primary mission is to fund North Korea’s weapons programs. Every Bitcoin stolen replaces lost revenue from sanctions. The group’s operations are not for profit - they’re for survival. The money pays for missile components, uranium enrichment, and cyberwarfare units.

18 Comments

Rod Filoteo
December 2, 2025 AT 19:50

this is all fake. the whole crypto thing is a government psyop to get us to stop using cash. they want us to be tracked. blockchain? more like block-surveillance. they're not stealing from exchanges, they're stealing from YOUR trust. wake up sheeple.
Layla Hu
December 4, 2025 AT 18:04

I just feel so sad that people have to go through this. It’s not just about money-it’s about safety. I hope everyone reading this double-checks everything.
Nora Colombie
December 4, 2025 AT 20:13

North Korea is a joke. We should’ve bombed their server farms ten years ago. This isn’t hacking-it’s war. And we’re letting them win because we’re too busy watching TikTok. #AmericaFirst
Greer Dauphin
December 5, 2025 AT 01:54

holy crap this is wild. so they just trick people into approving transfers? like… we’re all just one typo away from being broke? 😅 i just checked my wallet twice before typing this. maybe i’m paranoid. or maybe i’m smart.
Bhoomika Agarwal
December 6, 2025 AT 11:29

usa thinks it’s the tech god but can’t even protect its own exchanges? lol. we in india have seen scams so bad you’d cry laughing. at least we don’t pretend our systems are bulletproof. #lazaruswinstheworld
Katherine Alva
December 7, 2025 AT 20:08

it’s terrifying how much power we give to screens… 🤔 we trust them with our lives, our money, our identity… and they’re just… code. and humans. and sometimes, just one tired person at 3am. 💔
Nelia Mcquiston
December 8, 2025 AT 04:18

The real failure here isn’t the malware or the phishing-it’s the assumption that trust can be automated. Human judgment isn’t a bug, it’s the feature. And we’ve outsourced it to convenience. We built a house of cards and called it innovation.
Mark Stoehr
December 9, 2025 AT 12:52

this is why crypto is dead long live cash. no one needs to be this vulnerable. if your wallet needs a phone app to work you already lost
Shari Heglin
December 10, 2025 AT 18:02

The assertion that multi-signature systems 'fail' due to human error is misleading. Multi-signature systems are designed to require independent verification. The failure is not in the system, but in the implementation of user interfaces that deliberately obscure transaction parameters. This is a UI/UX failure, not a cryptographic one.
ashi chopra
December 11, 2025 AT 23:51

i read this and just sat there… my hands were shaking. my uncle lost everything in a crypto scam last year. he cried for three days. this isn’t just tech. this is someone’s life. please… be careful.
alex bolduin
December 12, 2025 AT 05:49

so if the attack is on the person not the code why are we still talking about blockchain security like its the problem? the real fix is training not tech. people need to be taught like they’re in a bank not a game
Vidyut Arcot
December 13, 2025 AT 12:02

this is actually really well explained. i work in fintech and we’ve seen this pattern. the scary part? they’re getting better. we’re not. maybe we need to stop chasing speed and start chasing safety. just a thought
Andrew Brady
December 13, 2025 AT 19:50

this is all part of the deep state’s plan to control money. they let the koreans do this so we’ll beg for central bank digital currencies. once we have those, they can freeze your account anytime. this is a trap. don’t fall for it.
Sharmishtha Sohoni
December 14, 2025 AT 04:32

wait so they used a fake job offer to get into Ronin? that’s it? just a pdf?
Durgesh Mehta
December 15, 2025 AT 12:34

i think we need to stop blaming the users and start holding the platforms accountable. if your app can be tricked into changing addresses… maybe its not ready for real money
Sarah Roberge
December 16, 2025 AT 22:35

the truth is no one cares until it happens to them. then suddenly everyone’s an expert. meanwhile the rich are already using air-gapped vaults and human biometrics. we’re just here yelling about crypto while they buy islands
Jess Bothun-Berg
December 17, 2025 AT 22:36

this is just… a lot. too many words. too many numbers. too many ‘they’. who’s they? who cares? just tell me how to not get robbed.
Mani Kumar
December 18, 2025 AT 00:19

The notion that state-sponsored cyber operations are unique to North Korea is intellectually lazy. Similar tactics have been documented in Russian, Chinese, and Iranian operations. The difference lies only in scale and media attention, not methodology.