The Bybit Heist: Largest Crypto Hack Attributed to Lazarus

On February 21, 2025, a routine transfer from the cold wallets of Bybit – one of the world’s largest cryptocurrency exchanges – triggered an alarm. Within minutes, an astonishing $1.5 billion in Ethereum had vanished from the exchange’s vaults. The attackers exploited a weakness in Bybit’s multi-signature wallet system, covertly inserting a delegatecall into the transaction approval process to reroute funds into their own addresses (How the Bybit hack happened: inside the $1.5 billion crypto heist). It was an audacious, highly sophisticated breach – now recorded as the largest cryptocurrency heist in history.

In the immediate aftermath, blockchain tracing firms sprang into action. TRM Labs tagged the culprit wallets and soon confirmed a North Korean nexus, noting overlaps with addresses from previous state-sponsored crypto heists. Within five days, the FBI publicly attributed the Bybit hack to Lazarus Group, the infamous North Korean hacking unit. This attribution aligned with a well-worn pattern: over the past decade, many of the biggest crypto exchange robberies – from Ronin Bridge (Axie Infinity) to KuCoin – have been pinned on Lazarus. U.S. authorities and private analysts alike are convinced that Pyongyang’s cyber operatives are behind an ongoing digital crime spree that has netted over $5–6 billion in crypto since 2017 (The largest theft in history - following the money trail from the Bybit Hack) (The Bybit Hack: Following North Korea’s Largest Exploit | TRM Insights). But as the Bybit case grabs headlines, a critical question resurfaces: Are these attributions rock-solid, or has “Lazarus” become a convenient scapegoat for the crypto world’s failures?

A String of Crypto Exchange Breaches

The Bybit exploit is only the latest in a long series of crypto exchange and DeFi hacks attributed to “Lazarus Group,” a shadowy hacking collective allegedly run by North Korea’s Reconnaissance General Bureau (RGB). Since the mid-2010s, this group (also tracked as APT38 for its financial crimes unit) has been linked to an escalating campaign of digital theft targeting global financial platforms. Consider some of the notable heists:

• Bangladesh Bank, 2016: An $81 million theft via fraudulent SWIFT transfers from a Bangladesh central bank account – part of an attempted $1 billion caper – was “widely attributed” to Lazarus (New report details 'clear attribution' of Lazarus Group hacks to North Korean military). U.S. officials later stated that Pyongyang was likely behind this unprecedented bank hack (LAZARUS ARISEN | Group-IB Blog).

• Youbit (Yapizon) Exchange, 2017: A South Korean crypto exchange suffered back-to-back hacks (17% of assets in April 2017, and another in December) forcing it into bankruptcy. South Korean intelligence pointed the finger at North Korean actors, presumed to be Lazarus, for these attacks – an early sign that Pyongyang’s hackers were pivoting to cryptocurrency.

• Coincheck, 2018: In one of the largest exchange thefts ever, $530 million in NEM tokens were stolen from Japan’s Coincheck. While never officially solved, many experts suspected Lazarus given the scale and the target (Japan has been in Lazarus’s crosshairs before). The incident exposed poor security (tokens stored in a single hot wallet) yet discussions often focused more on whodunit than on Coincheck’s lapses.

• Upbit, 2019: In November 2019, hackers drained 342,000 ETH (then ~$50 million) from South Korea’s Upbit exchange. It took five years, but in 2024 South Korea’s National Police conclusively blamed the Upbit hack on Lazarus and a sibling group called Andariel, citing traced crypto flows, North Korean IP addresses, and even the use of North Korean language in the attack infrastructure. Investigators revealed the thieves laundered the ETH through dozens of brokers – selling roughly 57% on shady exchanges allegedly run by North Koreans – before dispersing the rest through 51 overseas platforms. This marked the first official confirmation by Seoul that the Upbit heist was a DPRK operation (South Korea confirms North Korea behind $50M Upbit hack).

• KuCoin, 2020: In September 2020, $275 million in crypto was stolen from Singapore-based KuCoin’s hot wallets. Blockchain forensics by Chainalysis later identified Lazarus Group as the culprit, noting the thieves’ telltale laundering method: slicing funds into uniform chunks and feeding them into mixers in a systematic, “assembly-line” fashion. The hackers had obtained KuCoin’s private keys – likely via social engineering or malware – and, after the theft, laundered the coins through mixers and DeFi swaps. Investigators observed that the KuCoin hackers re-used a laundering pattern Lazarus employed in past heists, strengthening the attribution. (Notably, KuCoin’s CEO managed to recover a large portion of funds, but Lazarus still walked away with tens of millions (Lazarus Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New Money Laundering Options - Chainalysis).)

• Ronin Bridge (Axie Infinity), 2022: In March 2022, attackers exploited the Ronin sidechain bridge used by Axie Infinity, absconding with $625 million (173,600 ETH and millions in USDC). U.S. Treasury and the FBI swiftly identified the Ethereum address holding the loot as controlled by Lazarus, and sanctioned the wallet within weeks (N Korean Lazarus hackers tied to $625M theft). Blockchain analytics confirmed that the same address had been used in the hack, providing a direct link to the North Korean crew. This remains one of the largest DeFi hacks on record. Subsequent reporting uncovered that Lazarus operatives had social-engineered an Axie developer via LinkedIn, sending a poisoned job offer PDF that helped them penetrate the network – a textbook Lazarus tactic.

• Horizon Bridge (Harmony), 2022: Another cross-chain bridge attack in June 2022 saw ~$100 million stolen. In January 2023, the FBI officially attributed the Horizon Bridge theft to Lazarus (APT38) (FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft — FBI). The Bureau even published a list of blockchain wallet addresses linked to the hack, underlining how diligently they were tracking Lazarus’s crypto haul. By then, analysts noted Lazarus had begun using privacy mixers (like Tornado Cash, Wasabi) and chain hopping to obscure their tracks – tactics observed again in the Bybit case.

• Recent 2023 Targets: The crypto boom and bust of 2021–2022 gave Lazarus ample new targets. In 2023, the FBI pinned a $100 million hack of Atomic Wallet (a non-custodial wallet service) on North Korean actors. The crypto casino Stake.com lost ~$41 million to Lazarus-linked hackers in September 2023 (The Bybit Hack: Following North Korea’s Largest Exploit | TRM Insights). And multiple DeFi platform attacks were suspected to be the work of Lazarus or copycats, as the group showed growing prowess in exploiting smart contract vulnerabilities in addition to traditional phishing.

By early 2025, North Korea’s crypto hacking tally is staggering. Elliptic, a blockchain analytics firm, estimates over $6 billion in cryptocurrency has been stolen by North Korea-linked hackers since 2017. U.N. sanctions monitors reported that 2022 was a record-breaking year with at least $630 million (and possibly over $1 billion) in crypto assets stolen by DPRK groups (Exclusive: Record-breaking 2022 for North Korea crypto theft, UN report says | Reuters). These funds are believed to bankroll Pyongyang’s sanctioned nuclear and missile programs – perhaps covering as much as half of the regime’s missile development budget according to some claims (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community). Small wonder that law enforcement and intelligence agencies worldwide sound the alarm: by their account, Lazarus Group has become the most prolific cryptocurrency bandit in history, and a uniquely dangerous fusion of state espionage and organized crime (The largest theft in history - following the money trail from the Bybit Hack).

Yet amid the headlines and government press releases, a troubling pattern emerges. With each new hack promptly blamed on this same elusive cabal, one might ask: Has “Lazarus” become a catch-all villain, a default culprit whenever crypto vanishes into the ether? Are these attributions always backed by solid evidence, or has Lazarus evolved into a convenient foil for deeper industry problems?

Inside the Lazarus Playbook: Malware, Phishing, and Blockchain Trails

To evaluate the reliability of attribution, one must understand how investigators link these hacks to Lazarus in the first place. What evidence is used to pin a theft on a North Korean state-backed hacker, rather than, say, a rogue cybercriminal in Eastern Europe? The answer lies in a mix of technical forensics, behavioral analysis, and sometimes geopolitical context.

Malware and Infrastructure: A classic clue is the reuse of malicious code or tools previously tied to Lazarus. For instance, the malware that breached Sony Pictures in 2014 (Lazarus’s infamous retaliation for The Interview film) shared code with viruses later used to infiltrate banks (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community). Cybersecurity firms like Novetta and Kaspersky noted unique snippets and encryption routines that appeared in multiple Lazarus-attributed operations, suggesting a common toolkit. However, savvy hackers can plant false flags by intentionally using someone else’s code. In fact, Lazarus itself has done this: after 2016, they started inserting Russian-language strings and using Russian-developed packers (like Enigma Protector) in their malware to confuse analysts. Such ploys did mislead some researchers into initially suspecting Russian actors (New report details 'clear attribution' of Lazarus Group hacks to North Korean military). This works in reverse as well – theoretically, a non-Korean attacker could sprinkle Korean code or mimic Lazarus tools to point the finger at Pyongyang. Recognizing this, serious investigators no longer rely on code similarity alone. As Group-IB cautioned in its landmark Lazarus Arisen report, malware reuse is common and “does not provide conclusive evidence of attribution” without other context (LAZARUS ARISEN | Group-IB Blog).

Thus, analysts dig deeper into infrastructure. Group-IB’s researchers painstakingly mapped Lazarus’s command-and-control (C2) servers across a three-tiered botnet architecture. By following the digital bread crumbs (malware beacons, SSL certificates, VPN usage), they traced multiple attacks back to a pair of IP addresses in Pyongyang’s Potonggang district – home to North Korea’s military intelligence bureau. One of those IPs (175.45.178.222) fell in the same subnet range as addresses known to be used by Bureau 121 (the clandestine RGB unit overseeing cyber-ops). This kind of network telemetry – essentially catching the hackers connecting from home base – is about as strong as technical attribution gets. It led Group-IB to conclude with “clear attribution” that Lazarus is run directly by the North Korean state (New report details 'clear attribution' of Lazarus Group hacks to North Korean military) (LAZARUS ARISEN | Group-IB Blog). Similarly, South Korean investigators in the Upbit case cited North Korean IP login traces and language indicators as proof of DPRK involvement (South Korea confirms North Korea behind $50M Upbit hack).

Another Lazarus hallmark is their modus operandi in breaching targets. Over time, certain tactics, techniques, and procedures (TTPs) have recurred:

• Spear Phishing and Social Engineering: Lazarus hackers are masters of the long con. They commonly pose as recruiters on LinkedIn or other social networks, targeting employees of crypto firms or banks with enticing job offers. The U.N. recently warned that North Korean operatives initiate contacts on LinkedIn, build trust, then shift to WhatsApp or email to deliver malware-laced documents (Exclusive: Record-breaking 2022 for North Korea crypto theft, UN report says | Reuters). In one 2022 campaign, Lazarus sent out bogus job offer documents (e.g. “Engineering Position at CryptoCompany.pdf”) that, when opened, executed spyware on the recipient’s computer (Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware). The Axie Infinity/Ronin hack followed this playbook to a tee: an engineer was duped by a fake job offer, giving Lazarus the foothold to compromise private keys. Phishing for exchange credentials or tricking staff into installing backdoors remains a go-to move for Lazarus, who often prefer stolen login credentials over laborious zero-day exploits (New report details 'clear attribution' of Lazarus Group hacks to North Korean military).

• Trojanized Crypto Apps – Operation AppleJeus: Perhaps the most insidious Lazarus tactic is creating fake cryptocurrency applications and websites to infect victims. Since 2018, Lazarus (specifically its sub-group sometimes dubbed BlueNoroff/APT38) has run “Operation AppleJeus.” They build spoofed crypto trading platforms or wallets and circulate them to lure investors and exchange employees. The apps function normally but install a backdoor called AppleJeus. Through this, Lazarus can eventually steal the private keys and credentials needed to empty victims’ crypto accounts. They have masqueraded as everything from trading bots to ICO platforms – one recent fake site cloned a legitimate crypto trading firm (HaasOnline) and offered a trojanized app called “BloxHolder,” which delivered AppleJeus malware bundled with real trading software (Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware). This blend of social engineering and malware is deadly: it gets Lazarus inside networks undetected, from where they can pivot to the crown jewels – cold wallet keys, exchange backend servers, or treasury smart contracts.

• Exploiting Trust and Process Weaknesses: The Bybit hack underscores Lazarus’s ability to target not just software vulnerabilities but operational vulnerabilities. Bybit’s security relied on a multi-sig cold wallet requiring several approvals for large transfers (an industry best practice). Yet the attackers found a weakness in how those transactions were generated or displayed. They penetrated the exchange’s internal systems (possibly via an insider or phishing) and manipulated the transaction data shown to the signers (How the Bybit hack happened: inside the $1.5 billion crypto heist). In doing so, they inserted a hidden call that changed the destination of the funds. The signers – seeing what looked like a routine transfer – unwittingly co-signed the theft. This was a supply chain attack on the transaction pipeline itself, showing Lazarus’s adaptability. Likewise, Lazarus has exploited software supply chains (for example, corrupting updates for legitimate apps) and API vulnerabilities in DeFi protocols when direct phishing isn’t enough. Their repertoire spans from old-school tactics (USB malware, DDoS as distraction) to cutting-edge DeFi hacks, whichever best suits the target at hand (LAZARUS ARISEN | Group-IB Blog) (How the Bybit hack happened: inside the $1.5 billion crypto heist).

• Cash-Out and Laundering Patterns: One reason investigators swiftly cry “Lazarus” after a crypto theft is the thieves’ subsequent behavior on the blockchain. North Korea’s laundering operations have a distinct fingerprint. They often swap stolen tokens for ETH or BTC immediately – because unlike many altcoins, those cannot be frozen by any central issuer. Next, they fragment the funds into hundreds of new addresses (e.g. splitting Ether into chunks of just under 100 ETH each) and begin a marathon series of hops. In the KuCoin case, Chainalysis observed dozens of equal-sized Bitcoin payments fed into mixers one after another – a method Lazarus used repeatedly to launder funds while minimizing traceable patterns (Lazarus Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New Money Laundering Options - Chainalysis). After mixing, the coins emerge into wallets that then often funnel into Asia-based over-the-counter (OTC) brokers or low-regulation exchanges, where they can be converted to fiat. In the Upbit hack, for instance, police found more than half of the stolen Ether was cashed out via exchanges allegedly controlled by North Korean operators (South Korea confirms North Korea behind $50M Upbit hack). With DeFi’s rise, Lazarus also began using decentralized exchanges to swap assets across chains, and cross-chain bridges to move value into Bitcoin or other coins where they then employ mixers (Lazarus Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New Money Laundering Options - Chainalysis). In almost every recent case – Ronin, Horizon, Atomic Wallet, Stake – the stolen crypto quickly moves to mixing services or privacy wallets (Wasabi, Sinbad, Blender, Tornado Cash) known to be favorites of DPRK hackers (The largest theft in history - following the money trail from the Bybit Hack). This consistency in laundering technique is a smoking gun. In Bybit’s hack, within 48 hours over $160 million was laundered through such channels, “overwhelming analysts with rapid, high-frequency transactions across multiple platforms” in what one expert called a “flood-the-zone” approach. Such behavior strongly correlates with past North Korean operations and thus heavily informs attribution decisions.

Taken together, these technical and behavioral clues form a Lazarus playbook against which new attacks are compared. In the Bybit case, virtually every element matched: a breach of a high-value exchange via creative vulnerability exploitation, immediate token-swapping and aggressive laundering, and funds ultimately moving to mixer clusters that only North Korea has been observed using at this scale. It is little surprise that multiple crypto-tracing companies independently pointed to Lazarus within days, and the FBI felt confident enough to formally accuse North Korea shortly thereafter (The Bybit Hack: Following North Korea’s Largest Exploit | TRM Insights) (The largest theft in history - following the money trail from the Bybit Hack).

The Attribution Game: How Solid is the Evidence?

While the technical evidence tying Lazarus to these hacks is compelling, it is not infallible. Attribution in cyberspace is famously tricky – akin to assembling a puzzle with many missing pieces. Forensic clues can be misinterpreted or manipulated. And once a narrative takes hold, there’s a risk of confirmation bias reinforcing it. In the case of Lazarus and crypto hacks, a few issues deserve scrutiny:

1. Copycats and Shared Tools: As noted, Lazarus doesn’t own a monopoly on crypto hacking techniques. Other criminal groups also use phishing, malware, and mixers. For example, the “Harvest Finance” DeFi hack of 2020 initially baffled analysts, until Chainalysis noticed that some of the stolen tokens ended up in deposit addresses previously used by Lazarus. This led to speculation Lazarus was behind Harvest Finance too, though it was never confirmed (Lazarus Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New Money Laundering Options - Chainalysis). It’s possible Lazarus did it – or just as possible that the real perpetrators knowingly sent a slice of their haul through a Lazarus-linked address to muddy the waters, or that an OTC broker pooled funds from multiple hackers. In other words, blockchain breadcrumbs can intermix, and not every appearance of a known Lazarus wallet means Lazarus itself is behind a given crime. The risk is that investigators “seeing what they expect to see” might jump to naming Lazarus prematurely whenever a familiar pattern emerges.

2. False Flags and Deception: We’ve seen how Lazarus tried to pose as Russian hackers in 2016 (New report details 'clear attribution' of Lazarus Group hacks to North Korean military). Conversely, could others pose as Lazarus? Theoretically yes – by emulating known Lazarus TTPs. For instance, a non-North Korean hacker could deliberately launder funds in the “classic Lazarus” style, use VPS infrastructure in Asia, or reuse malware snippets from public Lazarus samples. Sophisticated attackers might even compromise a server that Lazarus once used and route an operation through it to trigger an attribution to North Korea. It would require considerable effort (and knowledge of Lazarus’s methods), but it’s not impossible. This is why top cyber forensics teams use multiple independent indicators before attributing. In the Bangladesh Bank heist, some experts initially hesitated to blame North Korea because the scheme also involved Filipino casinos and Chinese middlemen – it looked at first like a generic transnational crime operation. Only when similar malware popped up at other banks and an IP address linked to Pyongyang surfaced did consensus gravitate to Lazarus (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community) (LAZARUS ARISEN | Group-IB Blog). Attribution is a mosaic – one piece of evidence (a fragment of code, an IP, a wallet address) can be a red herring on its own. Patterns over multiple incidents, and preferably a smoking gun like a North Korean IP or state-owned server, are needed for high confidence. In many crypto hacks, such definitive proof can be elusive, coming only much later (if at all). The Upbit case took years of investigation and international cooperation to firmly attribute. That suggests early attributions might sometimes lean on educated guesswork plus the reputation Lazarus has built.

3. The Lazarus Umbrella: “Lazarus Group” itself is an umbrella term that lumps together several sub-teams of North Korean hackers. Different cybersecurity vendors use various names – Bluenoroff (for the bank-heist specialists), Andariel (often focused on South Korea), Kimsuky (espionage against think-tanks), etc., all sometimes placed under the Lazarus/Hidden Cobra label. This taxonomy can lead to attribution muddles. For instance, South Korea attributed the Upbit hack to Lazarus and Andariel (South Korea confirms North Korea behind $50M Upbit hack) – implying a collaboration, or perhaps simply that two units of RGB both took part. When the FBI says “Lazarus did X,” they often mean the North Korean state broadly (they even add “also known as APT38” in statements (FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft — FBI)). The distinction matters because these sub-groups may have different techniques or even different motivations. Some focus purely on theft, others also engage in sabotage or espionage. If a crypto hack’s style doesn’t perfectly match known Lazarus heists, it might still be a different DPRK crew. But public discourse tends to use “Lazarus” as a catch-all shorthand, which can gloss over uncertainty. It also means any mistake by one vendor in labeling an attack can cascade – if one analyst mis-identifies a criminal gang’s work as Lazarus, others may propagate the claim under the broad Lazarus narrative. In short, attribution can be over-simplified for the sake of a clear story.

Despite these caveats, it’s important to stress: the accumulated evidence for Lazarus Group’s role in many major crypto hacks is substantial and multi-sourced. No other country or group has been tied to as many high-value crypto thefts. U.S. prosecutors have even unmasked individual North Korean operators by name in indictments, describing their roles in specific bank and crypto attacks. (For example, Park Jin Hyok was indicted for the Sony hack and Bangladesh Bank heist, and in 2021 three other North Korean spies were charged in a sweeping $1.3 billion cyber theft conspiracy ( Office of Public Affairs | Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe | United States Department of Justice).) These legal actions indicate a high degree of confidence based on classified intelligence beyond what is publicly released. And yet – none of those operatives have been arrested; they remain in North Korea. This leads to a final concern:

4. Lack of Direct Accountability: Because we are dealing with nation-state actors shielded by their government, attributions to Lazarus remain untested in court. They are allegations backed by forensic and intel evidence, but we rarely see hard proof beyond what private firms report or what agencies selectively disclose. It’s an article of faith that the U.S. wouldn’t sanction individuals or indict them if it wasn’t sure, and so far that faith hasn’t been dramatically contradicted. But skeptics note that without a defendant in the dock, the evidence is never fully aired. “No Lazarus hacker has ever been caught. All attributions rely on patterns in code and behavior – patterns that could be faked,” as one critical analysis pointed out (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community). This isn’t to say the attributions are wrong, only that they are inherently one-sided. It’s a cat-and-mouse intelligence game where the cat cannot fully reveal its hand (to avoid tipping off the mouse), and the mouse will never confirm its identity (North Korea routinely denies all hacking allegations). The result is the public must trust the investigative process without seeing it fully validated. And trust, as always, should be paired with healthy skepticism.

Lazarus: Legitimate Menace or Convenient Scapegoat?

The Lazarus Group occupies a unique place in the cybercrime ecosystem – a state-sponsored syndicate stealing hundreds of millions in open pursuit of illicit profit. There is little doubt that such a group exists and is actively operating; the sheer volume of heists, the trails of evidence, and the consistency with North Korea’s financial needs make it a credible reality. But the idea of Lazarus has perhaps grown larger than the evidence at times, morphing into something of a geopolitical bogeyman.

Some observers question whether “Lazarus” has become a go-to boogeyman invoked to explain any major crypto hack, possibly at the expense of deeper investigation. “Is the Lazarus group the villain, or a phantom – a convenient scapegoat for governments and corporations to mask incompetence or advance hidden agendas?” one commentator mused pointedly. It’s a provocative question. After all, blaming an external nation-state APT for a breach can be very “useful” for those involved:

• For Exchange Operators: Labeling an incident as a state-sponsored attack by an elite group can deflect blame. If North Korea’s best thieves targeted your platform and succeeded, well, “even the strongest vault might fall”. It shifts the narrative from your security failures to the adversary’s prowess. There is a kernel of truth – Lazarus is indeed resourceful – but this framing can excuse poor practices. For instance, if an exchange was keeping keys in an insufficiently secure manner, that fact might get less scrutiny in the rush to vilify Lazarus. After the Coincheck hack, Japanese regulators pressed exchanges to improve cold storage and segregation of assets, but Coincheck’s management largely escaped with light penalties, publicly chalking up the loss to external hackers. Pointing to Lazarus can sometimes preclude a hard look at whether the victim had proper safeguards.

• For Governments and Law Enforcement: Attributing crimes to North Korea can serve political and practical goals. It emphasizes the need for strong national cyber defenses and sanctions, thereby justifying budgets and aggressive policies. One theory even posits that Western intelligence hyped the Lazarus threat as a foil after the Snowden leaks damaged their image – by casting themselves as protectors against a rogue state cyber menace, they regain public support. That might be a stretch, but it’s undeniable that “North Korean hackers” make for a clear villain in narratives. There’s scant political downside in blaming Pyongyang – unlike attributing a hack to, say, a Chinese group, which could carry diplomatic ramifications, or to a domestic failure, which could embarrass officials. In some cases, loudly naming and shaming North Korea also helps rally international cooperation (as seen in the U.N. reports and sanctions). It’s easier to unite against a common, reviled enemy. However, this can lead to over-attribution – seeing North Korean hands in cyber incidents where they might not actually exist.

• For Cybersecurity Vendors: The security industry, too, has something to gain. Fear drives demand for security products and services. High-profile threat groups like Lazarus are often featured in marketing materials for threat intelligence feeds, anti-APT firewalls, blockchain tracing tools, and so on. As one analyst cynically put it, “Companies have built empires selling ‘Lazarus protection’ – firewalls, threat detectors, and blockchain audits designed to keep the boogeyman at bay.” This isn’t to say those products are snake-oil, but there is an inherent incentive to perhaps amplify how scary and ubiquitous the threat appears. If every major breach is attributed to an unstoppable state hacker unit, companies are more likely to invest in expensive defensive measures. A degree of FUD (fear, uncertainty, doubt) can slip into the discourse, painting Lazarus as almost superhuman. In reality, Lazarus hackers have made mistakes, been foiled, or had near-misses (e.g. a typo “fandation” in a SWIFT transfer stopped them from stealing $900 million more from Bangladesh Bank). They are human and fallible, not all-powerful. But the “mythos” around them can sometimes obscure that, fed by dramatic media portrayals like the BBC’s The Lazarus Heist.

Given these factors, some critics argue that Lazarus has taken on a mythological aura. In a provocative piece on Dev community, writer Scofield Idehen asks, “What if the group is a complete fabrication – a cyber-bogeyman conjured by governments and corporations to justify surveillance, control narratives, and manipulate public opinion?” He notes how no Lazarus member has been physically apprehended, and how in an age of deepfakes and disinformation, it’s conceivable to construct a false narrative that everyone believes. He even entertains the extreme conspiracy that perhaps Lazarus is “neither wholly real nor entirely fictional, but a shapeshifting myth” serving multiple agendas (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community).

That is likely too extreme – discounting extensive forensic evidence and first-hand accounts of North Korean cyber operations. North Korean defector testimonies and intelligence reports consistently describe a government program training hundreds of elite hackers (Bureau 121) who are sent abroad to earn foreign currency by any means necessary. The Lazarus phenomenon fits into that known puzzle. However, the kernel of truth in the “bogeyman” critique is this: the legend of Lazarus sometimes overshadows systemic issues that enable these hacks in the first place. It’s easier to focus on an external enemy than to admit uncomfortable truths about the cryptocurrency industry’s vulnerabilities or one’s own security posture.

Attribution and Accountability: Beyond the Lazarus Narrative

Ultimately, two things can be true at once. Lazarus Group (and its North Korean affiliates) can indeed be responsible for many of these crypto heists, and the specter of Lazarus can be wielded as a convenient shield against deeper accountability. Recognizing Lazarus’s role should not preclude us from asking tough questions about why these attacks succeed with such regularity.

For one, the cryptocurrency sector’s security standards have often fallen short. Many exchanges that lost funds to Lazarus had single points of failure – whether an unsecured hot wallet, an insufficiently vetted software update, or an overly trusting internal culture susceptible to social engineering. The fact that Lazarus keeps breaching major firms suggests that basic best practices (like strict multi-sig controls, out-of-band transaction verification, employee phishing training, etc.) were not rigorously implemented or were flawed. Bybit’s case revealed a flaw in a critical procedure that should have been caught in security audits (How the Bybit hack happened: inside the $1.5 billion crypto heist). Similarly, the Ronin bridge hack was enabled by having a majority of validator keys accessible and a lapse in monitoring. When we pin it all on Lazarus’s cunning, there’s a risk of absolving the victims for mistakes that, if corrected, could prevent the next Lazarus-style attack.

There’s also the broader ecosystem problem: DeFi protocols and cross-chain bridges boomed in usage (with billions in value) but often had immature security. Lazarus astutely exploited this gap. The crypto community must address these systemic vulnerabilities – through better code audits, bug bounties, decentralized security mechanisms – rather than simply lamenting that North Korean spies are crafty. As one Chainalysis report noted, North Korea’s hackers have demonstrated a “consistent ability to adapt and exploit vulnerabilities in the cryptocurrency ecosystem” (The Bybit Hack: Following North Korea’s Largest Exploit | TRM Insights). That implies the ecosystem has plenty of exploitable cracks. Fixing those cracks is as important as hunting the culprits.

From a law enforcement perspective, attributing to Lazarus is just step one. The harder challenge is how to deter and disrupt them. Sanctions on mixer services and seizures of stolen funds (where possible) have been one approach – for example, the U.S. Treasury sanctioned the Tornado Cash mixer after it was used heavily by Lazarus, and reportedly helped recover some funds from the Ronin hack by tracking and pressure on intermediaries. However, North Korea continues to find ways around these measures, using ever more convoluted laundering and even emerging tech like DeFi. The cat-and-mouse game continues, and every successful attribution needs to be followed by concrete action (indictments, asset freezes, diplomatic pressure on countries harboring Lazarus operatives, etc.) to have any meaning.

For the private sector, a candid post-mortem after a hack is essential. Some exchanges have started to own up to shortcomings. Following the Bybit hack, Bybit’s CEO Ben Zhou publicly explained that the breach occurred during a routine wallet transfer and vowed to overhaul their multisig processes. They even offered a $140 million bounty to encourage global experts to track the stolen crypto (Bybit launches $140m bounty to track down crypto heist - Reddit). Such transparency and proactive measures are crucial. It acknowledges that while Lazarus’s involvement is likely, it doesn’t change the fact that something in Bybit’s system failed. Honest accountability and improvement will ultimately do more to protect users than simply banking on attribution to ward off criticism.

Conclusion: A Nuanced Threat Landscape

In the lore of cybercrime, the Lazarus Group has earned a place as a sort of digital super-villain – audacious, resourceful, and working at the behest of a rogue nation with little to lose. The attribution of many cryptocurrency exchange hacks to Lazarus is backed by considerable evidence: telltale malware, familiar phishing ruses, and money trails that all lead to Pyongyang’s door. The danger Lazarus poses is very real; few others have combined state support with criminal techniques so effectively, stealing coins at a scale that can shake markets and international security (How the Bybit hack happened: inside the $1.5 billion crypto heist). Dismissing the Lazarus attribution as pure myth would be folly given what we know.

However, as with any complex issue, the truth is not black-and-white. Lazarus can be a real threat and a scapegoat in some narratives. The consistency of blaming Lazarus invites us to scrutinize the attribution process itself – to ensure that it remains rigorous and evidence-based, not swayed by convenience or fear. It also nudges us to see the bigger picture: North Korea’s hackers thrive not just because of their skill, but because the systems they target often have cracks to exploit. Those cracks are in our power to fix.

In calling out Lazarus, we must avoid creating a “myth of invincibility” around them that stifles criticism of security lapses or that fuels fatalism (“if a nation-state wants to hack us, why bother trying to stop it?”). Instead, the Lazarus story should galvanize better defenses. It should also remind us that attribution is a starting point, not an end point – a clue toward justice, not an excuse to close a case. As investigators peel back the layers of each hack, they must remain open to all possibilities, even ones that challenge the prevailing Lazarus narrative.

Is Lazarus a pawn in global cyber games? In some ways yes – they are wielded by their government for profit, and wielded in turn in international discourse as the face of crypto-crime. Is Lazarus a scapegoat? At times, perhaps, when their name is used too liberally. But importantly, Lazarus is also a mirror. The frenzy around their exploits reflects our collective anxieties: about the precariousness of digital assets, the opacity of state-sponsored crime, and the thin line between cybersecurity and geopolitics. In that mirror we see a cautionary tale of vulnerability in the digital age, as well as our tendency to seek simple villains for complex failures.

In the end, understanding the truth about Lazarus Group – stripped of both hype and denial – can help the crypto industry and governments alike respond more intelligently. It means neither underestimating nor mythologizing the threat. It means investing in stronger security and oversight for crypto platforms, so that even an elite adversary finds no easy pickings. And it means maintaining a critical eye on attribution: demanding evidence, cross-checking facts, and recognizing the limits of our knowledge. Only then can we ensure that when Lazarus (or any other group) strikes again, we’ll be ready to catch them in the act – or better yet, stop them at the gate – rather than just assigning a familiar blame after the fact.

Sources: The investigation draws on multiple reports and expert analyses, including Group-IB’s “Lazarus Arisen” intelligence report (LAZARUS ARISEN | Group-IB Blog) (New report details 'clear attribution' of Lazarus Group hacks to North Korean military), the BBC’s Lazarus Heist coverage, U.N. findings on DPRK cyber operations (Exclusive: Record-breaking 2022 for North Korea crypto theft, UN report says | Reuters), and numerous cybersecurity research publications. Technical details and attribution evidence are sourced from blockchain analytics firms (TRM Labs, Elliptic, Chainalysis) (The Bybit Hack: Following North Korea’s Largest Exploit | TRM Insights) (The largest theft in history - following the money trail from the Bybit Hack), law enforcement statements (FBI, DOJ) (FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft — FBI) (Office of Public Affairs | Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe | United States Department of Justice), and cybersecurity experts’ writings (The Lazarus Hackers: Everything You Know Is a Lie - DEV Community) (Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware). These sources collectively underpin the examination of Lazarus Group’s alleged tactics and the scrutiny of the attribution process.