Deng Tong, Golden Finance
On June 11, 2025, according to a report by Japan's Kyodo News Agency, Japanese Prime Minister Shigeru Ishiba plans to propose strengthening the crackdown on North Korea's malicious cyber activities such as stealing cryptocurrencies at the Group of Seven Summit (G7 Summit) held in Canada from June 15 to 17. This will be the first time that the G7 summit discusses the issue of North Korea's theft of cryptocurrencies.According to several Japanese government officials, this move aims to strengthen supervision through multilateral cooperation and cut off North Korea's channels for illegally obtaining cryptocurrency funds through cyber attacks, which are believed to be used to develop weapons of mass destruction.
What shocking cases have North Korean hackers committed? How much cryptocurrency have they stolen? Why is North Korea so good at hacking? Where is all the money spent?
On February 21, 2025, Dubai-based cryptocurrency exchange Bybit suffered a theft of approximately $1.46 billion in crypto assets. Preliminary reports show that the attackers used malware to trick the exchange into approving transactions to transfer funds to the thieves' accounts, which is the largest cryptocurrency theft to date. Elliptic analyzed a variety of factors, including an analysis of the money laundering path of the stolen crypto assets, and determined that the mastermind behind the Bybit theft was North Korea's Lazarus Group.
In March 2022, the Ethereum sidechain built for the Axie Infinity instant play and earn game was exploited to steal $620 million worth of Ethereum and USDC. Ronin was only able to recover a small portion of the stolen funds. The attack was blamed on the Lazarus Group, an organization allegedly linked to the North Korean government.
On May 31, 2024, 4,502.9 bitcoins were stolen from the Japanese exchange DMM Bitcoin. At the time of the incident, the bitcoins were worth $308 million. The FBI, the Department of Defense, and the Japanese National Police Agency said the theft was the work of hackers linked to North Korea.
In September 2020, $275 million worth of cryptocurrency was stolen from KuCoin, a Singapore-based cryptocurrency exchange, including $127 million in ERC20 tokens for Ethereum smart contracts. However, subsequent on-chain tracking successfully froze $170 million in assets, and institutions such as Tether and Circle also cooperated in marking the stolen money, eventually forcing the hackers to return some of the funds. The North Korean hacker group Lazarus Group was accused of being the perpetrator of the theft.
On July 18, 2024, Indian cryptocurrency exchange WazirX suffered a loss of $230 million. There is evidence that the hacker may be the North Korean government-backed Lazarus Group, which has converted most of the stolen assets into Ethereum.
In June 2023, users of the Atomic Wallet service had more than $100 million worth of cryptocurrency stolen, and the FBI later confirmed a connection to the North Korean hacker group Lazarus Group.
On October 16, 2024, the lending agreement Radiant Capital had about $50 million stolen. Radiant Capital said that the hacker launched the attack by sending malware through Telegram. The malware was sent by a hacker allied with North Korea posing as a former contractor. We are highly confident that the attack was carried out by a threat actor affiliated with North Korea (DPRK).
In September 2023, $41 million worth of cryptocurrency was stolen from the online casino and gambling platform Stake.com. The perpetrator was Lazarus Group.
In November 2019, 342,000 Ethereums were stolen from Upbit, worth $41 million at the time. The police believed that the crime was committed by the North Korean hacker groups Lazarus and Andariel based on the analysis of North Korean IP addresses, the flow of virtual assets, traces of North Korean vocabulary use, and evidence obtained in cooperation with the US Federal Bureau of Investigation (FBI).
Lazarus Group is allegedly operated by the North Korean government. Although little is known about the group, researchers have attributed several cyber attacks since 2010 to it. According to defector Kim Kuk-song, the unit is known as the "414 Liaison Office" inside North Korea.
The earliest known attack by the group is called "Operation Troy" and took place between 2009 and 2012. It was a cyber espionage campaign that used simple distributed denial of service (DDoS) techniques to target the South Korean government in Seoul. They also launched attacks in 2011 and 2013. Although it is not certain, they may also be behind the 2007 attack on South Korea. The most well-known attack by the group was the 2014 attack on Sony Pictures. The attack on Sony Pictures used more complex techniques, highlighting that the group has become more advanced over time.
In 2015, the Lazarus Group reportedly stole $12 million from the Bank of Austria in Ecuador and $1 million from the Tien Phong Bank in Vietnam. They have also targeted banks in Poland and Mexico. Bank robberies in 2016, including an attack on the Bangladesh Bank that successfully stole $81 million, were attributed to the group. In 2017, the Lazarus Group reportedly stole $60 million from the Far Eastern International Bank in Taiwan, and although the actual amount stolen is unclear, most of the funds have been recovered.
The Lazarus Group has also created many cases, which will not be repeated here.
The money laundering process of Lazarus Group: The first step is to exchange all stolen tokens for "native" blockchain assets, such as ETH.This is because tokens have issuers, who can "freeze" wallets containing stolen assets in some cases, while there is no central agency that can freeze ETH or Bitcoin.
The second step is to "layer" the stolen funds in an attempt to cover up the transaction path.The transparency of the blockchain means that these transaction paths can be traced, but these layering strategies complicate the tracing process and buy valuable cash-out time for money launderers. The layering process can take many forms, including: transferring funds through a large number of cryptocurrency wallets; using cross-chain bridges or exchanges to transfer funds to other blockchains; using DEXs, token exchange services or exchanges to switch between different crypto assets; using "mixers" such as Tornado Cash or Cryptomixer.
North Korea's Lazarus Group is the most "professional" and resourceful crypto asset launderer in existence, and they constantly adjust their techniques to evade the identification and seizure of stolen assets.
For details, please refer to the Golden Finance article "The Biggest Theft in History: Tracking the Flow of Bybit Hacker Funds"
Members of the North Korean hacker group Lazarus Group once used false identities to set up two shell companies in New Mexico and New York, USA-Blocknovas LLC and Softglide LLC, using fake recruitment to spread malware and specialize in attacking cryptocurrency developers. Cybersecurity company Silent Push disclosed that these companies used fake interviews to lure victims and steal sensitive information such as encrypted wallets and passwords, which has caused many developers to fall victim. Silent Push called it a rare case of "North Korean hackers registering legitimate companies in the United States to carry out cyber attacks."
The United Nations Panel of Experts investigating North Korea's evasion of sanctions estimated in 2024 that North Korea has stolen more than $3 billion in cryptocurrency since 2017.
According to the Chainalysis report, in 2023, hackers associated with North Korea stole approximately $660.5 million through 20 incidents; in 2024, this figure increased to $1.34 billion in 47 incidents, an increase of 102.88% in the value of theft. These figures accounted for 61% of the total amount stolen that year and 20% of the total number of incidents.
In 2024, attacks worth $50-100 million and more than $100 million occurred much more frequently than in 2023, suggesting that North Korea is getting better and faster at large-scale attacks. This is in stark contrast to the previous two years, when profits were often less than $50 million each.
North Korea has been responsible for most of the large-scale attacks in the past three years. Interestingly, the amount of money attacked by North Korean hackers is lower, especially the density of hacker attacks worth around $10,000 is also increasing.
North Korea has never admitted to being behind the Lazarus Group, but is believed to be the only country in the world that uses hacking power for economic gain.
In 2023, a United Nations monitoring body reported that cyber theft accounted for half of the country's total foreign revenue. Most of the proceeds are believed to be used for its weapons program.
Over the past decade, North Korea has incorporated crimes for economic gain into its evolving offensive cyber strategy. According to Oriental Online, these hacking operations are mainly directed by the Reconnaissance General Bureau, North Korea's main foreign intelligence agency, and the stolen funds are used to finance the country's nuclear weapons program.
In 2020, the United States placed North Koreans suspected of involvement in the Lazarus Group on a cyber wanted list. But unless they leave their country, the chances of these people being arrested are slim.
In a country where most people have no access to the Internet, why has it cultivated so many elite hackers?
Thai Yong-ho, Pyongyang's former ambassador to London, who defected to South Korea in 2016, once pointed out: When Kim Jong-un was studying in Switzerland, he spent most of his time playing video games, but he also saw the importance of computers in modern life. Therefore, after returning to the country with his younger brother Kim Jong-chul, he inspired their father. "Kim Jong-il quickly realized the advantages of these computers and networks."
Kim Jong-il soon set up a special school dedicated to teaching high-tech espionage, intelligence and warfare. Five years later, he received a rich reward: hackers stole South Korea's top-secret military plans, including documents that outlined a possible war between North Korea and its northern neighbor, and a plot to "decapitate" North Korea by assassinating Kim Jong-un.
Today, North Korea’s cyber forces are believed to number more than 8,000, mostly hand-picked math-savvy students from schools. In North Korea, they are affiliated with a harmless-sounding “Reconnaissance General Bureau,” but in practice they operate under cyber code names such as Lazarus, BeagleBoyz, Hidden Cobra, and APT38 (“APT” stands for “Advanced Persistent Threat”).
These students undergo long and intensive training, but they also receive certain privileges—including exemptions from state labor programs, material benefits such as cars and comfortable housing, and rare opportunities to travel abroad to compete in global math competitions such as the International Mathematical Olympiad.
However, their efficiency is not simply due to their superb technical expertise. Most cyber thefts also exploit human weaknesses, such as sending “phishing” emails or befriending employees to trick them into giving away their passwords.
Dr. Dorrit Doll of cybersecurity company Check Point said: "North Korea's system and economy are very closed, so they have created a successful hacking and money laundering industry, and they don't care about the negative impression brought by cybercrime."
Source: Golden Finance, CoinDesk, The Block, The Telegraph, BBC, Reuters, The Economist, Chainalysis, Wikipedia, Dongfang ONLINE
EIP-3074 needs careful integration to avoid potential risks to Ethereum accounts. It's important for wallets to display clearly what users are signing, akin to handling one's private keys.
AlexAfter Hong Kong's principal approval of BTC and ETH ETFs, Japan, Korea, Taiwan, and Singapore are also considering their own citizens' attitudes towards this development.
Miyuki在香港原则性批准BTC和ETH的ETF后, 日本, 韩国, 台湾和新加坡也在考虑自己国民对此的态度
MiyukiThe Google search volume for Bitcoin halving has reached an all-time high, yet the most interested investors are not from the US or China.
Weiliang$HUAHUA, the memecoin on the Chihuahua Chain, stands out with its community-driven governance and eco-friendly approach, offering rewards of up to 21% through staking. Leveraging the Cosmos SDK, it aims to revolutionise finance with DeFi integration, poised to invigorate the Cosmos ecosystem with its vibrant innovation.
AnaisOmni Network's OMNI token witnessed a drastic 55% drop post-airdrop, while a scam involving a fake OMNI token unfolded.
AlexBinance reallocates $1 billion to USDC, enhancing transparency and security, and influencing the broader crypto market.
MiyukiBinance's recent regulatory approval in Dubai symbolizes a crucial advance in its commitment to compliance, amidst a backdrop of intense regulatory scrutiny that has challenged the cryptocurrency exchange since the FTX crisis.
WeiliangBinance, the world's largest crypto exchange, is making a comeback in India by agreeing to pay a $2 million fine and commit to local regulations, signaling a shift in the Indian crypto landscape towards compliance and collaboration. This move could fuel growth and innovation in India's crypto market, setting a precedent for global regulatory frameworks.
WeatherlyArkansas considers new regulations for cryptocurrency mining, focusing on environmental impacts and market stability amidst legislative debates and international legal challenges.
Alex