Lazarus Group Cryptocurrency Theft Tactics and Bitcoin Heists: How North Korea Steals Billions

On February 21, 2025, a single digital transaction erased $1.5 billion from Bybit-one of the world’s largest cryptocurrency exchanges. No physical vault was broken into. No guard was bribed. The theft happened through a fake button click, a manipulated user interface, and a CEO who thought he was approving a routine transfer. This wasn’t a glitch. It wasn’t luck. It was the Lazarus Group, North Korea’s most dangerous cyber unit, pulling off the biggest cryptocurrency heist in history.

How Lazarus Group Turns Crypto Exchanges Into ATMs

The Lazarus Group doesn’t break into systems the way you’d expect. They don’t brute-force passwords or flood networks with malware. They wait. They observe. They build trust. Then they strike where security is weakest: the human mind.

Their attack on Bybit followed a four-step playbook that’s now the gold standard for state-sponsored crypto theft:

1. Spear phishing: Hackers sent fake job offers and urgent security alerts to Bybit employees. One clicked a link. One opened a PDF. That was all it took.
2. Frontend manipulation: They didn’t touch the cold wallet’s private keys. Instead, they injected malicious code into the Safe Wallet interface-the very tool employees used to approve transactions. When CEO Ben Zhou signed off on what looked like a $2 million transfer, the system quietly rerouted 401,000 ETH ($1.46 billion) to a Lazarus-controlled wallet.
3. Chain-hopping: Stolen Ethereum was swapped for Bitcoin and Dai on decentralized exchanges. This isn’t just obfuscation-it’s a deliberate strategy to break the trail across blockchains.
4. Waiting game: They didn’t cash out immediately. They let the heat die down. Months later, funds began moving through mixers, tumblers, and obscure DeFi protocols, making recovery nearly impossible.

This wasn’t the first time. In 2022, they stole $620 million from Ronin Network by tricking a developer into installing a fake job application. In 2018, they used AppleJeus malware to infect exchange platforms through trojanized trading apps. Each attack got smarter. Each one bypassed more layers of security.

Why Multi-Signature Wallets Failed

Most exchanges brag about their multi-signature wallets-requiring 3 or 5 people to approve a withdrawal. It sounds bulletproof. But Lazarus doesn’t attack the keys. They attack the interface.

Think of it like this: Your bank requires two signatures to transfer money. But what if the online portal you use to request the transfer was secretly rewritten to show one amount, while sending another? That’s exactly what happened at Bybit. The interface lied. The signers trusted it. The system had no way to detect the fraud because the transaction looked legitimate from the backend.

This exposes a blind spot in crypto security: we’ve optimized for cryptographic integrity, but ignored human-interface integrity. No amount of hardware security modules or air-gapped servers matters if the screen you’re looking at is a lie.

The New Social Engineering Playbook

Lazarus doesn’t rely on spam emails anymore. They’ve moved to LinkedIn.

Their TraderTraitor subgroup now targets security researchers and crypto engineers with fake job offers, conference invites, and even fake research collaborations. They build relationships over weeks. They share technical papers. They ask for feedback on open-source tools. Then-when trust is established-they send a "critical update" for a wallet app or trading bot. That update? It’s a remote access trojan called MANUSCRYPT. Once installed, it harvests wallet keys, clipboard data, and even screenshots of authentication screens.

This is not random hacking. It’s intelligence gathering disguised as networking. It’s the same tactic used by Russian and Chinese espionage units-but applied with terrifying precision to the crypto world.

The Billions in Motion: A Timeline of Heists

Between June and September 2025 alone, Lazarus pulled off five confirmed attacks totaling over $280 million:

• Atomic Wallet: $100 million stolen in June
• CoinsPaid: $37.3 million in July
• Alphapo: $60 million in August
• Stake.com: $41 million in August
• CoinEx: $54 million suspected in September

Here’s the chilling part: Elliptic, a blockchain analytics firm, found that funds from these separate heists were being mixed together. Money from Stake.com ended up in the same wallet addresses used for Atomic Wallet. CoinEx proceeds flowed through addresses tied to previous Lazarus operations. This isn’t sloppy-this is advanced laundering. They’re using the crypto ecosystem’s own complexity to hide in plain sight.

Why Bitcoin Is Their Favorite Target

You’d think Ethereum, with its smart contracts and DeFi integrations, would be the prime target. But Lazarus prefers Bitcoin. Why?

• High liquidity: Bitcoin trades on every exchange, globally, 24/7. No delays.
• Low traceability: Once moved through mixers like Wasabi or Samourai, Bitcoin becomes nearly impossible to track.
• Global acceptance: Unlike altcoins, Bitcoin is recognized as real value-even by underground markets and sanctioned entities.
• Fixed supply: No inflation risk. $1 billion in Bitcoin in 2025 is still $1 billion in 2026.

They don’t just steal Bitcoin. They hoard it. They wait. They watch the market. Then, when sanctions ease or demand spikes, they slowly sell through OTC desks in Southeast Asia or use peer-to-peer platforms to exchange it for cash.

What Exchanges Are Doing-And Why It’s Not Enough

After the Bybit heist, several exchanges upgraded their security. Some added biometric approvals. Others required manual phone calls for large transfers. Bybit itself recovered $40 million and restored all user funds.

But here’s the problem: these are band-aids.

No exchange has fixed the core issue: the user interface is the attack surface. If a hacker can change what you see on your screen, no amount of two-factor authentication or hardware wallets will save you.

Security teams now recommend:

• Real-time transaction verification via separate devices
• Blockchain-based audit trails that log every UI change
• Employee training that simulates Lazarus-style LinkedIn phishing
• Automated alerts for any transaction that changes destination addresses mid-process

Still, most platforms don’t implement these. Why? Cost. Complexity. Complacency.

The Bigger Threat: A Nation-State With No Fear of Consequences

Unlike criminal gangs, Lazarus doesn’t care about getting caught. North Korea has no extradition treaties. No Interpol cooperation. No financial system to freeze. They operate from Pyongyang with total impunity.

Their mission isn’t profit. It’s survival. Every dollar stolen funds their nuclear program. Every Bitcoin heist buys missile fuel. Every Ethereum stolen pays for a scientist’s salary.

The Center for Strategic and International Studies calls this “cyber-enabled state terrorism.” The U.S. Treasury has sanctioned over 100 Lazarus-linked wallets-but the group simply creates new ones. They’ve moved to non-KYC DeFi protocols, privacy coins, and even NFT marketplaces to launder funds.

And they’re getting faster. In 2023, they pulled off one major heist every 6 months. In 2025, it’s one every 20 days.

What You Can Do-Even If You’re Not an Exchange

You might think this doesn’t affect you. But if you hold crypto, you’re part of the system they’re breaking.

Here’s what actually works:

• Never click links from LinkedIn DMs, even from “security experts” or “researchers.”
• Use a hardware wallet for anything over $1,000. Even if your computer is compromised, your private keys stay offline.
• Enable transaction confirmations on a separate device-like your phone or a dedicated tablet.
• Check transaction details on a blockchain explorer before approving. Look at the exact destination address. Don’t trust what your wallet app shows.
• Use a dedicated, air-gapped computer for managing large holdings. No internet. No updates. No apps.

The truth is simple: if you’re trusting your crypto to an app on your phone or laptop, you’re already at risk. Lazarus doesn’t need to hack your wallet. They just need you to trust the wrong thing.

The Future: Can Crypto Survive?

Lazarus Group isn’t going away. As sanctions tighten, their heists will grow more frequent and more brazen. By 2026, experts predict they’ll target stablecoin issuers, DeFi protocols, and even central bank digital currency (CBDC) pilot programs.

The crypto industry is at a crossroads. Either we rebuild security from the ground up-treating the user interface as a weaponized attack surface-or we accept that billions will keep vanishing into North Korean missile silos.

There’s no magic fix. No blockchain upgrade will stop a lie on a screen. The only defense left is awareness, skepticism, and a refusal to trust what looks easy.

Because in the end, the most dangerous thing about Lazarus isn’t their code.

It’s that they know you’ll click ‘Confirm’ anyway.