The Lazarus Group is not a criminal collective. It is a North Korean government agency, state-funded, with budgets, annual targets, and performance bonuses. Numbers verified by Chainalysis, TRM Labs, Elliptic, the FBI, and 11 allied governments: over $7.3 billion stolen in eight years.
The Heist of the Century: Bybit, $1.5 Billion in 11 Days
February 21, 2025 is a date that cybersecurity professionals won't forget. At 14:13:35 UTC, Bybit, one of the world's largest cryptocurrency exchanges based in Dubai, loses control of approximately 500,000 Ether. In dollars: $1.5 billion. The largest theft in cryptocurrency history.
How did it happen? Not by attacking Bybit directly. The Lazarus Group had compromised, days earlier, the laptop of a developer at Safe{Wallet}, the company that provides the multi-signature infrastructure used by Bybit for cold wallet transfers.
On February 19, 2025, at 15:29:25 UTC, the JavaScript code of the Safe{Wallet} interface had been silently replaced with a modified version. When Bybit's security officers initiated a routine transaction two days later, their screens showed exactly what they expected to see. They were approving something entirely different.
On February 26, 2025, the FBI officially attributed the attack to TraderTraitor, a Lazarus Group subunit also known as Jade Sleet and Slow Pisces โ the same unit responsible for the $308 million theft from Japanese exchange DMM Bitcoin in May 2024, forcing the exchange to shut down permanently.
The Bybit funds? Fully laundered in 11 days. CEO Ben Zhou publicly admitted to losing track of approximately $300 million during the tracking operation. It was already too late.
The Theft Machine: Who Lazarus Really Is
"The Lazarus Group and North Korea are the same thing. It's not a state-sponsored group in the traditional sense. It is the state." โ TRM Labs, February 2025
The Lazarus Group operates under the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service. It is organized into specialized subunits:
| Subunit | Aliases | Specialization |
|---|---|---|
| TraderTraitor | Jade Sleet, Slow Pisces | Centralized exchanges, software supply chains |
| UNC4736 | Citrine Sleet, Golden Chollima | Long-term social engineering, DeFi |
| Kimsuky | โ | Espionage and intelligence |
| Andariel | โ | Ransomware, wiper malware, sabotage |
The Numbers That Don't Add Up
| Year | Amount Stolen | Major Hacks |
|---|---|---|
| 2022 | $1.35B | Ronin Bridge ($620M), Harmony ($100M) |
| 2023 | $600M | Atomic Wallet ($100M), Stake.com ($41M) |
| 2024 | $1.34B (then-record) | WazirX ($235M), DMM Bitcoin ($305M) |
| 2025 | $2.02B (+51%) | Bybit ($1.5B), LND.fi, WOO X, Seedify |
| JanโApr 2026 | $577M | Drift Protocol ($285M), Kelp DAO ($292M) |
| TOTAL 2017โ2026 | $7.3B+ | Source: Chainalysis, TRM Labs, Elliptic |
The Multilateral Sanctions Monitoring Team (MSMT) report โ eleven countries, published October 2025 โ certified that North Korean thefts between January 2024 and September 2025 amount to $2.84 billion: nearly a third of the country's total foreign currency earnings in 2024. In a country whose main exports are coal and labor, stealing crypto has become a primary budget line.
Social Engineering: Six Months to Steal $285 Million
If Bybit demonstrated Lazarus's technical capability, the attack on Drift Protocol โ a decentralized exchange on Solana โ demonstrated its strategic patience.
In fall 2025, individuals appeared at international crypto conferences as representatives of a "quantitative trading company." They were not North Koreans: they were third-party intermediaries, recruited and trained by the regime. They were technically competent, had verifiable professional backgrounds, and spoke the industry's language fluently.
Between December 2025 and January 2026, the group began depositing over $1 million as collateral on Drift Protocol, interacting with project contributors on Telegram and building trust over months.
On April 1, 2026, the attack launched. Code repositories shared during the "collaboration" contained VS Code configuration files with malicious tasks. Wallet apps distributed via Apple TestFlight beta hid malware. Simultaneously with the attack, all Telegram chats were deleted.
$285 million vanished in one day, after six months of preparation. Blockchain analysts at Elliptic and TRM Labs traced fund flows to the same operators behind the Radiant Capital hack in October 2024 ($53 million).
Eighteen days later, on April 18, 2026, Kelp DAO was attacked for another $292 million in 46 minutes, via a LayerZero cross-chain bridge exploit. Collateral damage: $6.6 billion in Aave TVL evaporated within hours from systemic contagion.
The "Workers" Who Don't Exist
Parallel to the technical hacks, North Korea runs a complementary program even more insidious: thousands of North Korean citizens โ or proxies recruited from third countries โ who obtain remote work at American and European technology companies using false identities. The salaries, up to $300,000 annually per worker, are transferred almost entirely to the regime.
The US Department of Justice quantified the IT workers program alone at nearly $800 million annually for Pyongyang's coffers (OFAC, March 2026). On June 30, 2025, the DOJ coordinated simultaneous raids in 16 US states: 29 financial accounts frozen, 21 fraudulent websites taken down, approximately 200 computers seized. Over 100 American companies had been infiltrated.
How the Money Disappears: A 9-Step Process
- Stolen funds immediately converted to Ethereum on decentralized exchanges
- Mixers (Tornado Cash or post-OFAC alternatives) obscure transaction trails
- ETH converted to Bitcoin via cross-chain bridges
- Second round of mixing
- Bitcoin stored in cold wallets
- Conversion to Tron (TRX)
- TRX converted to USDT stablecoin
- USDT sent to over-the-counter brokers
- Final conversion to cash
OTC brokers identified operate primarily in China, Russia, and Cambodia. The Cambodian organization Huione Group โ whose shareholder is the cousin of Prime Minister Hun Manet โ processed at least $4 billion in illicit proceeds between 2021 and 2025, of which $37 million directly linked to Lazarus. FinCEN declared it a "Primary Money Laundering Concern" in 2025.
Why No One Can Stop It
In 2024, Russia vetoed the renewal of the UN Security Council Panel of Experts mandate monitoring North Korean activities. The MSMT is an informal substitute from 11 countries โ without coercive powers. International oversight has weakened exactly as thefts have increased.
The Missiles Paid for with Someone Else's Bitcoin
The October 2025 MSMT report is explicit: stolen funds are used to finance "research and development of nuclear arms" and "military purchases to evade international sanctions tied to its nuclear program."
CrowdStrike wrote in its January 2026 analysis that North Korea "requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites."
An ICBM like the Hwasong-17 costs between $30 and $50 million per launch. Kim Jong Un launched over a hundred of them between 2022 and 2025. Those who lost funds in a crypto hack didn't know they were financing this. But that's what happened.
Conclusion: Kim's Central Bank
Economics textbooks teach that a state without access to international capital markets cannot fund itself. North Korea has found a practical exception to this rule. Where central banks issue debt to raise capital, the Reconnaissance General Bureau issues hackers.
The crypto system that proposed itself as a democratic alternative to traditional finance has become, in part, the financing mechanism of an authoritarian regime with nuclear warheads.
How did it reach $7 billion? Every time an exchange, a DeFi protocol, or a tech company ignores a security warning.
Primary Sources
- FBI PSA250226 โ Bybit hack attribution (ic3.gov, February 26, 2025)
- Chainalysis โ 2026 Crypto Crime Report
- MSMT Report โ North Korea cyber theft (msmt.info, October 2025)
- DOJ Press Release โ IT Workers nationwide action (June 30, 2025)
- TRM Labs โ The Bybit Hack: Following North Korea's Largest Exploit
- Elliptic โ North Korea Linked Hackers Stolen Over $2 Billion in 2025
- FinCEN โ Huione Group Primary Money Laundering Concern (2025)
- OFAC โ Lazarus Group / Amnokgang Technology SDN (March 2026)
- CrowdStrike โ 2026 Global Threat Report (January 2026)
- AP News โ North Korea hacking nuclear funding report (October 2025)