Lazarus Group Cyber Attacks: What Businesses Need To Know

The Lazarus Group is one of the most productive nation-state hackers in the world.

North Korea’s flagship cyber unit has spent more than a decade stealing money, leaking corporate secrets, and disrupting public services across the globe. In February 2025 the group pulled off the largest cryptocurrency heist on record, with the FBI confirming it drained roughly $1.5 billion from a single exchange.

Governments and businesses now treat it as a standing threat to financial systems, supply chains, and sensitive data. This article explains who the Lazarus Group is, the cyberattacks linked to it, how it operates, and the steps your organization can take to reduce the risk.

The Lazarus Group is a state-sponsored hacking collective tied to the North Korean government. Security researchers first connected it to a string of attacks in 2009, and U.S. cyber intelligence agencies have since linked the Lazarus hacking group’s activity to the Reconnaissance General Bureau, Pyongyang’s main military intelligence agency. 

Its operators answer to the state, and their thefts help fund the regime’s weapons programs under heavy international sanctions. These are salaried government employees, and stealing cryptocurrency has become one of Pyongyang’s most dependable revenue streams.

The group runs under many names. MITRE tracks it as Lazarus Group, and different vendors label its sub-teams and campaigns separately.

Known aliases:

• APT38: the financially motivated arm behind bank and crypto theft.
• Hidden Cobra: the U.S. government label for North Korean cyber activity.
• ZINC and Diamond Sleet: Microsoft’s naming for the espionage operations.
• Guardians of Peace: the front used during the Sony Pictures attack.

These labels overlap because the Lazarus hacker group works as an umbrella of related teams, including BlueNoroff and Andariel, rather than a single crew.

Lazarus has been tied to some of the most damaging cyberattacks of the past decade. Four in particular stand out.

The Famous Sony Pictures Hack

In November 2014, a group calling itself Guardians of Peace breached Sony Pictures Entertainment. The attackers wiped systems and leaked unreleased films, employee data, and internal emails. U.S. investigators attributed the attack to North Korea, citing retaliation for the studio’s comedy about the assassination of Kim Jong-un. It was an early sign that the regime would use cyber operations for political ends.

WannaCry Ransomware Attack

The WannaCry ransomware spread to around 200,000 computers across 150 countries in May 2017. It encrypted hospital systems and froze infrastructure worldwide. The UK’s National Health Service was hit hard, with more than 19,000 appointments canceled. The U.S., UK, and allies later attributed the campaign to Lazarus, making it one of the most disruptive ransomware operations in history. WannaCry remains the most damaging Lazarus Group ransomware to date.

Harmony Horizon Bridge Theft

In June 2022, attackers drained $100 million in cryptocurrency from Harmony’s Horizon blockchain bridge. The FBI attributed the theft to Lazarus in January 2023 and tracked the laundering across privacy protocols.

Cryptocurrency Exchange Attacks

The FBI confirmed Lazarus stole $1.5 billion from crypto exchange Bybit in February 2025, the largest crypto theft ever recorded. The attackers compromised a third-party wallet provider, slipped malicious code into the signing interface, and rerouted what looked like a routine transfer. Within ten days they laundered almost all of it through the THORChain protocol into Bitcoin, scattered across nearly 7,000 wallets, leaving around $280 million untraceable.

The group blends espionage tradecraft with criminal efficiency. Its phishing attacks and malware campaigns follow a somewhat consistent pattern.

• Spear phishing: targeted emails that impersonate trusted contacts.
• Fake job offers: recruiter lures on LinkedIn that deliver malware to developers.
• Supply chain compromise: poisoned software packages pushed to open registries.
• Social engineering: manipulation of staff at exchanges and fintech firms.
• Cryptocurrency laundering: moving stolen funds quickly across blockchains.

In one direction, operators pose as recruiters and send developers trojanized coding tests; This is tracked as “DeceptiveDevelopment.” In the other, North Koreans pose as the candidates. Thousands have used stolen American identities to land remote IT jobs, then funneled their salaries back to Pyongyang. The number of companies tricked into hiring them jumped 220% in a year.

The scheme runs on insider help in the target country. A woman in Arizona was sentenced in July 2025 to over eight years for running a laptop farm, hosting more than 90 company-issued machines in her home so the workers looked domestic. That single operation moved $17 million to North Korea across 300-plus firms. 

Interviews now feature real-time deepfakes, with applicants using AI to mask their faces and voices on camera. Once a fake hire or a phished credential gets them inside, they steal data, move laterally, and exfiltrate funds before anyone connects the dots.

Lazarus now ranks among the most serious cybersecurity threats any business faces. Any organization that holds money, data, or access to a larger target is in scope. The consequences land across the business.

• Financial loss: direct theft and ransom demands that reach into the millions.
• Data breaches: stolen customer records, credentials, and intellectual property.
• Operational disruption: frozen systems and halted services after an intrusion.
• Supply chain exposure: one compromised vendor opening a path to many victims.
• Regulatory fallout: fines and reporting duties after a breach is disclosed.

Crypto platforms, healthcare providers, finance, and technology firms see the most activity, but small and mid-sized businesses sit within the blast radius. Lazarus often treats smaller companies as a stepping stone, using a single supplier to reach a larger enterprise. 

The group’s link to advanced persistent threats means it can sit quietly inside a network for months, mapping systems before they strike. That patience makes detection hard and the eventual damage worse.

In this context, layered defense lowers the odds and limits the damage when something slips through. The measures that matter are the ones tied to how Lazarus actually works.

1. Vet remote hires and contractors
   North Korea now gets in through the hiring pipeline. Verify identity live on camera, flag VoIP phone numbers and forwarded-laptop addresses, and ask interview questions that cannot be scripted, like the local weather or a news event from that morning.
2. Guard the developer supply chain
   Lazarus hides malware in npm and PyPI packages and in fake interview tasks. Pin dependencies, scan new packages before they reach a build, and treat any unsolicited recruiter “assignment” as hostile code.
3. Protect transaction and signing workflows
   The Bybit theft hijacked a wallet interface. Confirm what you sign on a separate device and keep signing systems off the machines used for email and browsing.
4. Require phishing-resistant MFA
   Spear phishing still opens most doors. Hardware security keys beat one-time codes that an attacker can relay in real time.
5. Watch what leaves the endpoint
   Lazarus measures success by data and funds exfiltrated. Track outbound behavior through a threat intelligence feed and flag transfers that don’t fit the baseline behavior.

Lazarus started as a saboteur leaking Sony’s emails. It now runs like a state-owned crime business with revenue targets, and crypto theft pays the bills. The 2025 Bybit heist and the ransomware legacy of WannaCry are the same group twelve years apart, adapting faster than most of its targets. 

The newest front is the hiring pipeline and the wallet workflow, dressed up with deepfakes and stolen identities. The defense is to assume the breach, verify the people and packages you let in, and watch what tries to leave. 

That last step is where BlackFog Protect operates, blocking the unauthorized data Lazarus depends on to get paid.

The Canvas attack highlights a critical reality facing organizations today: stopping malware is no longer enough.

Many security strategies focus on detecting threats, preventing ransomware execution, and recovering systems after an attack. However, when attackers successfully exfiltrate sensitive data, the damage often extends far beyond operational disruption.

Once data leaves the network, organizations lose control over how it is distributed, sold, or used for future extortion attempts.

For educational institutions, the consequences can be particularly severe. Exposure of student records and private communications can create regulatory obligations, legal liability, reputational harm, and long-term privacy concerns for affected individuals.

This is why organizations must shift their focus beyond detection and recovery and prioritize preventing unauthorized data movement before information leaves the network.

The Canvas breach serves as a reminder that a ransomware attack should not be measured solely by whether systems were encrypted. If attackers are able to steal terabytes of sensitive information, the damage may already be done.

Security leaders and teams tend to ask the same handful of questions about the Lazarus Group: