Hot Features
Premium
Trade like a pro: Leverage real-time discussions and market-moving ideas to outperform.
For over a decade, the Lazarus Group—also known by names like APT38, Guardians of Peace, and Hidden Cobra—has relentlessly targeted global institutions. Believed to be state-managed and operating under North Korea’s Reconnaissance General Bureau, Lazarus has earned notoriety through high-profile cyberattacks, spear-phishing, zero-day exploits, and cryptocurrency heists.
Goals and Motivation: More Than Espionage
Unlike many state-backed cyber groups primarily focused on espionage, Lazarus is distinctly profit-driven. North Korea’s economy, heavily sanctioned and isolated, has leveraged cybercrime—particularly financially motivated attacks—to fund state programs, including nuclear and missile development.
From bank robberies via SWIFT attacks to crypto heists, Lazarus’s operations align with the regime’s pressing need for revenue. Their style blends long-term infiltration, stealth, and technical sophistication to maximize impact and evade detection.
Sony Pictures Hack (2014)
Perhaps Lazarus’s most well-known operation, the Sony Pictures breach, was conducted under the moniker Guardians of Peace. The group infiltrated Sony’s systems over months, stealing unreleased films, employee emails, and sensitive data. Total damage estimates range from $15 million to $85 million. Analysts believe the attack was partly driven by anger over “The Interview,” a comedy featuring a plot to assassinate Kim Jong-un.
Bangladesh Bank Heist (2016)
In a meticulously planned fraud, Lazarus attempted to siphon $951 million from Bangladesh Bank’s New York Fed account. Their success in capturing $81 million hinged on crafty tactics—such as disabling a printer used to record transactions. A typo (“Jupiter” vs. “Jupitor”) triggered a red flag that helped block much of the theft.
WannaCry Ransomware (2017)
The global ransomware epidemic reached critical mass in May 2017, as Lazarus deployed WannaCry, which exploited the NSA-leaked EternalBlue exploit. The attack encrypted hundreds of thousands of machines across 150 countries, severely impacting healthcare systems like the NHS and causing economically disastrous ripple effects. Estimates place overall damage in the billions, with attackers netting only around $150,000 in Bitcoin*.
Persistent Evolution: From Banks to Crypto
Over time, Lazarus has refined its tactics. Kaspersky identifies distinct Lazarus units—such as Bluenoroff, which specializes in financial heists, and Bluenoroff’s subgroups responsible for SWIFT and crypto attacks.
Notably:
The group remains operating under low-detection frameworks, using zero-day exploits, covert malware, backdoors, and evidence-evading techniques.
Their targets now range from government agencies and banks to biotech, academic research, container shipping, and cryptocurrency exchanges.
In February 2025, Lazarus executed the largest crypto exchange hack to date, stealing $1.5 billion in Ethereum from Bybit.
Source: create.vista.com
State Support and Talent Cultivation
Lazarus operates under robust state sponsorship: its hackers face no consequences in North Korea and are often rewarded with privileges like better housing and education benefits.
Recruitment begins early—bright students are chosen from as young as 11 and sent abroad (e.g., China and Russia) to gain “internet literacy” and advanced technical skills not available in highly restricted North Korean networks. They later return to serve in elite cyber units such as Bureau 121 and Lab 110.
Recklessly Resilient and Expansive
Lazarus’s activities differ from other state-sponsored groups through their boldness. They operate without fear of internal suppression or international norms. Their cyber operations are driven by ideological and financial motives, devoid of geopolitical restraint.
While other nations may curb their cyber actors under diplomatic pressure—as happened recently with Russian groups—North Korea continues unabated, fueled by regime support.
Global Response and Future Threat
The U.S. Department of Justice has indicted individuals like Park Jin Hyok and Jon Chang Hyok for Lazarus’s major cybercrimes, though arrests have been impossible due to their location in North Korea.
Despite international pressure—including U.S. sanctions and combined cybersecurity efforts by the U.S., South Korea, Japan, and others—Lazarus remains active and increasingly innovative.
The Road Ahead
The Lazarus Group has evolved into a hybrid actor: state-backed yet heavily profit-driven. From spear-phishing and ransomware to thefts from banks and cryptocurrency platforms, Lazarus consistently adapts and expands its footprint. With state sponsorship, early recruitment, and an unwavering regime backing their operations, there’s little indication this threat will diminish soon.
Given Lazarus’s demonstrated capabilities, resilience, and audacity, cybersecurity systems worldwide must remain vigilant. Organizations need multi-layered defense strategies, enhanced threat detection tools, and proactive threat intelligence to guard against a persistent adversary that’s unlikely to fade.
Final Thought
Lazarus offers a unique case study—it reveals how cyber proxies funded and directed by a sanctioned state can become some of the world’s most unrestrained and dangerous actors. Absent meaningful regime change or global consensus, their operations stand as a continuing menace to global infrastructure, finance, and public services.
Learn from market wizards: Books to take your trading to the next level
