North Korea's Lazarus Group is responsible for some of the most audacious cyber heists in history — from the $81 million Bangladesh Bank robbery to the $625 million Ronin Network crypto theft. Here's how a state-sponsored hacking operation became the world's most prolific financial criminal.
In February 2016, someone nearly stole $951 million from the central bank of Bangladesh. They got $81 million before a typo stopped them. The misspelling of "fandation" instead of "foundation" in one of the fraudulent transfer instructions made a Deutsche Bank compliance officer suspicious enough to pause the transaction. The remaining $870 million was blocked.
The near-perfect heist wasn't the work of sophisticated financial criminals in expensive suits. It was carried out by a group of hackers working for the government of North Korea — a country so economically isolated that it had apparently turned to cyber crime as a mechanism of state finance.
The group behind the Bangladesh Bank hack is known as Lazarus Group. In the decade since, they've evolved from an intelligence and disruption operation into something that has no real historical precedent: a government-sponsored organisation that funds a portion of its nation's nuclear weapons programme through cryptocurrency theft.
Lazarus Group is the name given by cybersecurity researchers to a collection of hacking operations attributed to the Reconnaissance General Bureau, North Korea's primary intelligence agency. The group has been active in some form since at least 2009, when it was implicated in distributed denial-of-service attacks against South Korean and US government websites.
The US government formally attributed the Sony Pictures Entertainment hack of 2014 to Lazarus Group in a Department of Justice indictment unsealed in 2018. The Sony attack was remarkable for its destructiveness: hackers wiped thousands of computers, leaked gigabytes of embarrassing corporate emails, released unreleased films, published employees' personal information, and threatened violence in what appeared to be retaliation for the film "The Interview," a comedy depicting the fictional assassination of North Korean leader Kim Jong Un. Sony estimated damages at over $100 million.
But Sony, as devastating as it was, represented Lazarus Group operating primarily as a destructive and embarrassment operation. The group's evolution into financial crime began around 2015-2016, when North Korea found itself under increasingly severe international sanctions that were squeezing its access to hard currency. The state-sanctioned pivot to cyber-enabled theft represented a creative — and remarkably effective — solution to that problem.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Lazarus Group and its known sub-groups. The FBI has issued public advisories attributing specific attacks. The DOJ has indicted three North Korean nationals believed to be members: Park Jin Hyok, Jon Chang Hyok, and Kim Il. None are in US custody.
The Bangladesh Bank heist remains the most audacious component of Lazarus Group's financial crime portfolio — if only because of the sheer scale attempted.
The attackers spent months inside Bangladesh Bank's systems before making their move. They observed how the bank used the SWIFT interbank messaging system — the global network that financial institutions use to communicate and transfer funds between each other. SWIFT is not a payment system itself; it's a messaging system. A SWIFT message saying "transfer $20 million from Bangladesh Bank's account at the Federal Reserve Bank of New York to account X at Bank Y in the Philippines" doesn't transfer money automatically. It initiates a process that results in a transfer. But if you can generate convincing SWIFT messages that appear to come from a legitimate sender, you can, in effect, instruct banks to move money on your behalf.
The attackers compromised the SWIFT messaging software on Bangladesh Bank's systems, altering it to suppress confirmation messages that would normally be printed by the bank's printer when transactions were processed. The goal was to prevent bank employees from noticing the outgoing transfer requests until it was too late.
On February 4, 2016 — a Thursday, chosen because Friday is a holiday in Bangladesh, Saturday is a holiday in the Philippines, and the Federal Reserve doesn't process transactions on weekends — the attackers sent 35 fraudulent SWIFT messages to the Federal Reserve Bank of New York, instructing it to transfer $951 million from Bangladesh Bank's account to accounts in the Philippines and Sri Lanka.
The Federal Reserve processed five of the 35 instructions before automated security checks flagged the rest as suspicious. The five processed instructions totalled approximately $101 million. Of that, $20 million directed to Sri Lanka was blocked because "fandation" in the instructions prompted questions. The remaining $81 million flowed to accounts in the Philippines, where it was rapidly withdrawn in cash and converted at Manila casinos, which had an exemption from the Philippines' anti-money laundering laws.
Most of the $81 million was never recovered.
The hack prompted a global review of SWIFT security practices, a software update from SWIFT, and a reckoning about the vulnerabilities in the global financial messaging infrastructure. It also demonstrated that Lazarus Group had the capability and patience for sophisticated long-term operations against financial institutions.
Before the financial crimes came the Sony hack — which illustrated a different dimension of Lazarus Group's capabilities and Kim Jong Un's government's willingness to use them.
In late 2014, Sony Pictures Entertainment was preparing to release "The Interview," a comedy in which two journalists are recruited by the CIA to assassinate Kim Jong Un. North Korea had formally protested the film, calling it an "act of war." The US government dismissed the protests.
On November 24, 2014, employees at Sony arrived to find their computer screens displaying a red skeleton with the message "Hacked by #GOP" (Guardians of Peace, a name the attackers gave themselves). What followed was one of the most destructive cyber attacks on a private company in history.
The attackers wiped the hard drives of approximately 70% of Sony's computers — rendering them unusable. They leaked four unreleased Sony films online. They published executives' salary information, embarrassing internal emails (including correspondence disparaging major film stars and discussing racially insensitive topics), personal information for thousands of Sony employees, and sensitive business plans.
They also issued threats against cinemas planning to show the film, leading several major theatre chains to pull it from their schedules before Sony temporarily cancelled the release.
The FBI attributed the attack to North Korea within weeks. Cybersecurity researchers examining the malware used in the attack found code overlaps with tools previously used against South Korean targets by groups tied to North Korean intelligence. The DOJ's 2018 indictment named Park Jin Hyok as one of the hackers involved.
The period from 2017 onward represents a fundamental shift in Lazarus Group's operations. Bitcoin and other cryptocurrencies offered something that traditional bank fraud did not: a degree of pseudonymity in transactions and a mechanism to move money across borders without traditional correspondent banking relationships that could be frozen by sanctions.
North Korea recognised this opportunity early and pursued it aggressively.
WannaCry (2017): In May 2017, a ransomware attack spread globally in a matter of hours, encrypting hundreds of thousands of computers across 150 countries. The UK's National Health Service was severely disrupted — surgeries were cancelled, ambulances were diverted, medical records were inaccessible. The ransomware spread by exploiting a Windows vulnerability (stolen from the NSA) called EternalBlue. The US and UK governments publicly attributed WannaCry to North Korea. The ransom demanded was small — around $300 per computer in Bitcoin — and relatively little was collected. WannaCry was arguably more notable as a demonstration of destructive capability than as a revenue operation.
Cryptocurrency exchange attacks: From 2017 onward, Lazarus Group systematically targeted cryptocurrency exchanges across Asia and beyond. South Korean exchanges Bithumb, Youbit, and Coinrail were all attacked. Youbit ultimately declared bankruptcy after losing 17% of its assets. Chainalysis, the blockchain analytics firm that tracks cryptocurrency theft, has attributed over $1.7 billion in cryptocurrency theft to North Korea through 2022 alone.
The Ronin Network breach (2022): The single largest theft attributed to Lazarus Group — and among the largest in history — occurred in March 2022, when hackers compromised the Ronin Network, a blockchain bridge used by the popular crypto game Axie Infinity. By compromising five of the nine validator keys that secured the bridge, they were able to authorise fraudulent withdrawals totalling approximately $625 million in Ethereum and USDC. The theft wasn't discovered for six days — users noticed only when a player tried to withdraw funds and found the bridge empty.
The FBI attributed the Ronin hack to Lazarus Group's sub-unit Bluenoroff. OFAC sanctioned the cryptocurrency mixer (a tool used to obscure the transaction trail) used to launder portions of the stolen funds.
The challenge Lazarus Group faces after stealing cryptocurrency is converting it into usable funds that can reach the North Korean government. Cryptocurrency, while pseudonymous, has a fully public transaction record — every movement of funds on a blockchain is visible to anyone who looks.
Blockchain analytics companies like Chainalysis and Elliptic have spent years tracking Lazarus Group's laundering operations, and the picture that emerges is sophisticated and multi-layered.
After theft, funds typically move through several stages. First, they're often exchanged for different cryptocurrencies to obscure the original transaction trail. Then they're routed through cryptocurrency mixers — services that pool multiple users' funds and output equivalent amounts to different addresses, making it difficult to trace which input corresponds to which output. OFAC has sanctioned several specific mixers, including Tornado Cash and Blender.io, specifically because of their use to launder North Korean-stolen funds.
After mixing, funds are exchanged for Bitcoin (which has the most liquidity) and gradually converted to cash through exchanges with weak or no know-your-customer requirements, peer-to-peer trading platforms, and intermediaries willing to accept cryptocurrency in exchange for hard currency. Chinese over-the-counter brokers have been identified as key conversion points.
The US government estimates that North Korea generates hundreds of millions to over a billion dollars per year through these operations. UN Panel of Experts reports have estimated that proceeds fund a substantial portion of North Korea's ballistic missile and nuclear weapons programme.
Lazarus Group remains active. In 2023 and 2024, the group was attributed to attacks on cryptocurrency platforms, DeFi (decentralised finance) protocols, and, increasingly, supply chain attacks designed to compromise software development tools and distribute malicious updates to unsuspecting users.
Their techniques have evolved to include highly targeted spear-phishing campaigns aimed at cryptocurrency company employees — fake job offers, fake investment pitches, and fake technical assessments that, when interacted with, deliver malware onto the target's device.
The FBI has issued specific warnings to cryptocurrency companies about North Korean social engineering techniques, noting that the group researches targets extensively and crafts convincing personas on professional networking sites before making contact.
For individual cryptocurrency holders and DeFi users, the most relevant practical lesson from Lazarus Group's activity is the importance of hardware wallets — physical devices that store cryptocurrency private keys offline, making them inaccessible to remote attackers even if the user's computer is compromised — and extreme scepticism toward any investment opportunity or job offer that arrives unsolicited and involves cryptocurrency.
References:
A single SQL injection vulnerability in a piece of file-transfer software triggered a cascading breach that hit more than 2,600 organisations worldwide, exposing data from US government agencies, British Airways, the BBC, pension funds, and tens of millions of ordinary people.
A ransomware attack on a UnitedHealth subsidiary ground the US healthcare payment system to a halt, left pharmacies unable to fill prescriptions for weeks, and resulted in a $22 million ransom payment — only for the attackers to demand more.
In May 2021, a ransomware attack shut down the largest fuel pipeline in the United States, triggering fuel shortages across the East Coast. The entry point: one password, leaked from a breached account, sitting on the dark web.
