The Lazarus Group is not a typical cybercrime operation. It is a division of North Korea’s Reconnaissance General Bureau — a military intelligence agency — that has been repurposed as a revenue generation unit for a sanctioned state. Its cryptocurrency theft operations are not opportunistic. They are systematic, industrialised, and directly connected to North Korea’s weapons of mass destruction programme.
Chainalysis estimated that DPRK-affiliated hackers stole over $1.7 billion in cryptocurrency in 2022 alone. Cumulative theft since 2017 exceeds $3 billion. To put that in context, North Korea’s total annual exports are estimated at under $100 million due to comprehensive sanctions. Crypto theft is not a side hustle. It is one of the regime’s primary revenue streams.
I have covered individual Lazarus operations — the $625 million Ronin Bridge hack, the laundering through ChipMixer and Tornado Cash, the OFAC wallet designations. But the individual cases do not capture the full picture. What makes Lazarus exceptional is not any single hack. It is the pipeline — the end-to-end operational model that connects a LinkedIn message to a nuclear warhead.
Stage 1: Reconnaissance and social engineering
Lazarus operations typically begin months before the theft. Operatives create convincing LinkedIn profiles — sometimes using stolen photographs and fabricated employment histories — and approach employees at target organisations. The targets are usually engineers, developers, or system administrators at crypto exchanges, DeFi protocols, or blockchain infrastructure companies.
The social engineering is sophisticated and patient. As the Ronin Bridge attack demonstrated, operatives will conduct multiple rounds of fake interviews over weeks, building trust before delivering the malware payload — typically a PDF or document file containing a backdoor.
Stage 2: Network intrusion and lateral movement
Once the initial foothold is established through the malware, Lazarus operators move laterally through the target’s internal network — a process that can take days or weeks. They are looking for private keys, seed phrases, or access credentials for hot wallets, bridges, or treasury management systems.
This is a traditional advanced persistent threat (APT) operation — the same methodology used by state-sponsored hackers targeting defence contractors or government agencies, applied to crypto infrastructure.
Stage 3: Theft
The actual theft is typically rapid. Once the necessary keys or credentials are obtained, the attackers authorise withdrawals as quickly as possible, often in the early morning hours of the target’s timezone. The Ronin theft — 173,600 ETH and 25.5 million USDC — was executed in a single session.
Stage 4: Laundering
This is where the operation transitions from cybercrime to financial crime. The stolen funds enter a layering process designed to obscure their origin. Lazarus has used mixers (ChipMixer, Tornado Cash, Sinbad), chain-hopping (converting between different cryptocurrencies), and decentralised exchanges.
Stage 5: Cash-out
The final stage converts cryptocurrency to fiat currency. Lazarus has used over-the-counter brokers, non-compliant exchanges (including Garantex), and — reportedly — front companies in China and Southeast Asia. The fiat currency is ultimately repatriated to North Korea through channels that remain largely opaque.
Why it is so hard to stop
The pipeline exploits a fundamental structural weakness: each stage falls under a different defensive domain. Stage 1 is a human resources and security awareness problem. Stage 2 is a cybersecurity problem. Stage 3 is a custody and key management problem. Stage 4 is an AML and blockchain forensics problem. Stage 5 is a sanctions enforcement problem.
No single organisation or discipline owns the entire chain. The CISO does not control the mixer. The compliance team does not control the phishing defence. And the sovereign actor at the end of the chain is beyond the reach of any single nation’s law enforcement.
The most effective interventions have been at Stage 4 — the takedowns of ChipMixer, Tornado Cash, and Garantex — because these are chokepoints where many operations converge. But the Lazarus Group has consistently adapted, moving to new mixers as old ones are shut down.
For the crypto industry, the implication is uncomfortable but clear: you are a target of a state military intelligence operation. Your security architecture, your employee training, your key management, and your incident detection capabilities need to be calibrated accordingly. The attacker is not a script kiddie. It is a government.