Nation-State Actor

Lazarus Group

North Korea • Active since 2009

Lazarus is North Korea's top hacking team, and they're all about the money. They've stolen over $2 billion in cryptocurrency to fund the North Korean government. They also do espionage and have launched major destructive attacks, including the Sony Pictures hack and the WannaCry ransomware outbreak.

Overview

Lazarus Group is North Korea's most notorious hacking unit, responsible for some of the largest cyber heists in history. They've evolved from destructive attacks to financially-motivated operations, stealing billions in cryptocurrency to fund the North Korean regime. They're also behind major ransomware campaigns.

Also Known As

HIDDEN COBRA, Zinc, Diamond Sleet, APT38, Guardians of Peace

Target Industries

Cryptocurrency exchanges, Banks and financial institutions, Defense contractors, Entertainment, Energy, Blockchain and DeFi

Target Regions

Global, United States, South Korea, Japan

Is your business exposed?

Tactics, Techniques & Procedures

  • Supply chain attacks on cryptocurrency software
  • Spear-phishing with trojanized applications
  • LinkedIn-based social engineering
  • Fake job interview scams targeting developers
  • Compromising DeFi protocols

Known Tools & Malware

AppleJeus, Manuscrypt, DTrack, ThreatNeedle, BLINDINGCAN, Various custom backdoors

Notable Campaigns

Sony Pictures Attack (2014)

Destructive attack that wiped Sony Pictures systems and leaked unreleased films.

Bangladesh Bank Heist (2016)

Attempted to steal $1 billion from Bangladesh Bank via SWIFT, netting $81 million.

WannaCry Ransomware (2017)

Global ransomware outbreak affecting 200,000+ computers in 150 countries.

Ronin Bridge Hack (2022)

Stole $620 million in cryptocurrency from the Ronin blockchain bridge.

MITRE ATT&CK Techniques

T1566, T1195, T1204, T1486, T1547

Defense Recommendations

  1. 1.

    If handling cryptocurrency: implement hardware security modules

  2. 2.

    Verify software downloads from official sources only

  3. 3.

    Be extremely cautious with LinkedIn recruiter messages

  4. 4.

    Keep SWIFT and financial systems on isolated networks

  5. 5.

    Audit smart contract security before deployment

Related Threat Actors

Kimsuky, Temp Hermit, Apt37

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices