How North Korea's Lazarus Group Stole $6.7 Billion in Crypto — and Is Funding AI and Missiles With It

Between 2018 and 2025, North Korea's Lazarus Group stole approximately $6.7 billion in cryptocurrency. This is not a cybersecurity statistic. It is a weapons procurement budget.

UN Panel of Experts reports, FBI investigations, and blockchain analytics firms Chainalysis and Elliptic have all traced Lazarus Group proceeds to two specific destinations: North Korea's ballistic missile programme and, increasingly since 2023, North Korea's domestic AI research infrastructure.

Understanding the Lazarus Group is no longer just a matter of crypto security. It is a geopolitical story with direct implications for every developer building in DeFi, fintech, or any application handling digital assets.

Who Is the Lazarus Group?

Lazarus Group (also tracked as APT38, Hidden Cobra, Zinc, and UNC4034) is a North Korean state hacking operation affiliated with the Reconnaissance General Bureau (RGB) — North Korea's primary foreign intelligence service. It is not a loose collective of criminal hackers. It is a state intelligence asset with specific financial targets and operational doctrine.

The group is organised into functional sub-units:

• APT38 (the financial crimes unit): Focused on bank SWIFT network attacks and exchange heists
• TraderTraitor (UNC4899): Focused on cryptocurrency exchange employees, crypto VCs, and Web3 developers
• UNC1069: The AI deepfake and social engineering unit (covered separately)

The overarching mission is simple: generate hard currency for the Kim regime. North Korea is under the most comprehensive international sanctions regime in modern history. The Lazarus Group is one of the primary mechanisms for sanctions evasion.

The $6.7 Billion in Headline Attacks

The scale of Lazarus Group operations since 2018:

Ronin Network / Axie Infinity (March 2022): $625 million. The largest single crypto hack in history at the time. Lazarus Group compromised the private keys of five of the nine Ronin Bridge validators — four belonging to Sky Mavis (Axie's developer) and one belonging to the Axie DAO. The hack went undetected for six days. The FBI and US Treasury confirmed North Korean attribution in April 2022.

Harmony Horizon Bridge (June 2022): $100 million. Lazarus compromised two of the five multisig keys controlling the Harmony bridge between Ethereum and Harmony's blockchain. The attack pattern — targeting bridge validators rather than the underlying chains — became a template.

Atomic Wallet (June 2023): $35 million. TraderTraitor sub-group. Supply chain style attack via a compromised software update. 5,500 wallets drained across multiple chains.

Alphapo / HypeDrop (July 2023): $60 million. TraderTraitor used spearphishing on Alphapo employees. Gained access to hot wallet private keys. Drained Bitcoin, Ethereum, and Tron across multiple transactions.

DMM Bitcoin (May 2024): $305 million. Lazarus compromised a DMM Bitcoin employee via LinkedIn, gained access to signing systems, and drained 4,502.9 BTC in a single transaction. The Japanese exchange subsequently suspended operations and liquidated.

Bybit (February 2025): $1.5 billion. The largest crypto hack in history. TraderTraitor used a supply chain attack against Safe (a smart wallet provider used by Bybit). Compromised Safe's infrastructure to inject malicious JavaScript that manipulated Bybit's multi-signature signing interface during a routine transfer. The attack gave the appearance of a legitimate transaction to Bybit's signers while actually draining $1.5B in ETH. Bybit survived — it secured emergency loans and covered losses — but the attack demonstrated Lazarus Group's ability to compromise multi-party custody systems.

The Weapons Connection

The UN Panel of Experts on North Korea has documented in multiple annual reports that Lazarus Group proceeds directly fund Kim Jong-Un's weapons programmes. The mechanism is not simple money transfers — it involves extensive cryptocurrency laundering through mixers, cross-chain bridges, and OTC brokers — but the destination is confirmed.

The UN Panel of Experts has estimated that approximately 40% of North Korea's weapons of mass destruction programme is funded by cyber theft, with roughly half of its total foreign-currency income derived from illicit cyber operations. North Korea conducted 42 ballistic missile tests in 2022 — each test costs an estimated $1-10 million depending on the missile type. Crypto heists fund these tests directly.

The AI funding dimension emerged in 2023. Multiple intelligence assessments (US, South Korean, and Japanese) noted that North Korean computer science graduates began appearing in AI research contexts in China and via remote-work arrangements. North Korea has been purchasing GPU compute through intermediaries — Chinese companies, fronts in Southeast Asia — to build domestic AI capability. The goal is both military AI (autonomous targeting, signals intelligence) and cyber AI (using LLMs to accelerate phishing campaign development and code generation for malware).

TraderTraitor: The Playbook Targeting Developers

The TraderTraitor sub-group (FBI's name) specifically targets the humans who build and operate cryptocurrency infrastructure. Their playbook is well-documented and devastatingly effective:

Step 1 — Target identification. TraderTraitor builds comprehensive profiles of target employees using LinkedIn, GitHub, Twitter, and conference speaker lists. They look for: engineers with access to signing keys or admin systems; developers of smart contract infrastructure; security researchers who might provide insider information; and executives with access to financial systems.

Step 2 — Fake job offer. The initial contact is typically via LinkedIn or Telegram, from a fake recruiter representing a credible-sounding crypto VC, exchange, or DeFi project. The recruiter offers a high-salary position and requests a technical interview or skills assessment.

Step 3 — Malware delivery. The "skills assessment" or "technical challenge" is a PDF, repository, or executable that contains North Korean malware. Common vehicles: a Python coding challenge that requires running a script, a JavaScript npm package with malicious dependencies, a fake MacOS application, or a PDF exploit. Once run on the target's work machine, the malware establishes persistence and begins exfiltrating credentials and keys.

Step 4 — Lateral movement and key extraction. With a foothold on an employee's machine, TraderTraitor pivots to internal systems, extract signing keys from hardware security modules or software wallets, and identifies the optimal withdrawal path to drain funds quickly.

The Laundering Infrastructure

Lazarus Group has invested heavily in laundering infrastructure. Raw on-chain tracing by Chainalysis has become sophisticated enough to follow crypto through multiple hops, so Lazarus has adapted:

• Tornado Cash and similar mixers: Used extensively until Tornado Cash was sanctioned by US Treasury in August 2022. Still used despite sanctions.
• Cross-chain bridges: Moving funds from Ethereum to Bitcoin to Tron to Litecoin to reduce chain-specific tracking.
• ChipMixer: A Bitcoin mixer seized by Europol in March 2023 with $46M in NK-linked funds confirmed.
• Sinbad.io: A successor Bitcoin mixer sanctioned by OFAC in November 2023.
• OTC brokers in China and Southeast Asia: The final off-ramp. Crypto converted to fiat through brokers who either knowingly or unknowingly facilitate NK funds. US Treasury has sanctioned multiple Chinese OTC brokers linked to Lazarus Group laundering.

Despite these obstacles, Chainalysis estimates that Lazarus Group successfully converts a meaningful fraction of stolen funds to usable hard currency, though at increasing cost (higher laundering fees, more complex routing).

What Crypto and Fintech Developers Must Do

Assume you are a target if you work in crypto or fintech. If you have access to any signing key, admin dashboard, deployment pipeline, or production secrets for a crypto company or financial platform, you are exactly the profile TraderTraitor targets. This is not paranoia — these are documented attack patterns against exactly this category of professional.

Never run unsolicited code. No legitimate recruiter requires you to run a Python script or clone and execute a repository as part of an interview process. If a "skills assessment" requires running code on your work machine, decline. If you receive a message via LinkedIn or Telegram offering an unusually well-compensated position in crypto, treat it as a potential TraderTraitor operation until proven otherwise.

Separate work and personal machines for key operations. Any machine used for signing operations or accessing production systems should be dedicated to that purpose, fully patched, not used for email or browsing, and monitored for unusual process execution.

Multi-party signing with geographic and organisational diversity. The Bybit and Ronin attacks succeeded because validators or signers were compromised through a single company's infrastructure. Genuine multi-party custody requires signing parties that are organisationally and geographically independent — not five keys all managed by the same team.

Audit your software supply chain. TraderTraitor uses malicious npm packages, GitHub repositories, and software updates as delivery vehicles. SBOM (Software Bill of Materials) generation and dependency integrity verification are essential for any production crypto codebase.

The Lazarus Group is not slowing down. In 2025, they stole more in a single operation (Bybit, $1.5B) than they had in any previous year. The combination of AI-assisted social engineering and the growing sophistication of their supply chain attacks means the attack surface is expanding. Defence starts with awareness.