The Lazarus Group, infamous in the crypto world, possesses a greater amount of bitcoin than Tesla through theft rather than purchase. Despite ongoing efforts to curb their activities, the group persistently targets legitimate exchanges and discovers unique vulnerabilities to bolster the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction program.
This article is part of CoinDesk’s Most Influential 2025 list.
Lazarus stole $1.3 billion in cryptocurrencies in 2024. By mid-2025, it had already surpassed $2 billion in stolen funds, aiming to break its record for total thefts. Apart from direct theft, Lazarus employs privacy tools like mixers to launder stolen funds, making recovery challenging for governments or victims.
The crypto movement’s appeal lies in the ease of transferring funds without government interference — but this very feature benefits both lawful users and malicious actors. With Lazarus’ increasing sophistication in targeting exchanges and the persistent challenges the crypto industry faces in securing all vulnerabilities, this U.S. government-sanctioned group continues to conduct high-profile hacks.
In 2025 alone, Lazarus has been linked to the $1.5 billion hack of Bybit in February and the $36 million hack of Upbit in November, both prominent incidents this year. Their hacks have grown more sophisticated; for instance, the Bybit breach involved compromising a developer machine to manipulate a multisignature security interface and deceive a user. Lazarus adeptly utilizes crypto-native tools to transfer stolen funds.
The group has previously used mixers like Tornado Cash for fund movement and to complicate tracing efforts by governments or investigators. THORChain has been pivotal for Lazarus in laundering funds stolen from Bybit.
Lazarus’ activities have attracted government scrutiny in the past, resulting in brief sanctions against Tornado Cash and a conviction for one of its developers, as well as previous recoveries of funds stolen by Lazarus. The latest hacks continue to raise international alarm, underscoring the need for the crypto industry to address these security challenges earnestly.
