Lazarus Group

North Korean operators hit two DeFi protocols inside a seventeen-day window in April 2026: Drift Protocol on 1 April ($285M) and KelpDAO's LayerZero bridge on 18 April ($292M). The combined $577M, combined with the February 2025 Bybit theft, drove North Korea's share of all cryptocurrency-hack value to 76% in 2026 through April per TRM Labs tracking — the highest single-actor concentration of crypto-theft attribution since continuous tracking began. Initial access for both incidents traced to the same TraderTraitor recruiter- persona social-engineering of engineers at the victim ecosystem (a continuation of the DMM Bitcoin / Ginco LinkedIn-lure tradecraft pattern from 2024).

On 21 February 2025, North Korean operators tracked as TraderTraitor (assessed by FBI as Lazarus / APT38) transferred approximately $1.5B in Ethereum and ERC-20 tokens out of Bybit during a routine cold-wallet-to-hot- wallet rotation. The operation eclipsed the 2022 Ronin Bridge hack ($625M) as the single largest cryptocurrency theft on record. ZachXBT and subsequent FBI confirmation linked the wallets to the earlier Phemex, BingX, and Poloniex hacks attributed to the same cluster. The Bybit heist alone roughly tripled North Korea's running annual crypto take and forced multi-week downstream response from cryptocurrency exchanges attempting to block onward laundering.

FBI, DC3, and Japan's NPA jointly attributed the May 2024 theft of 4,502.9 BTC (~$308M at time of theft) from Japanese exchange DMM Bitcoin to North Korean TraderTraitor activity, overlapping with Lazarus / APT38 reporting. The operation started with a LinkedIn-delivered fake pre-employment test targeting an employee at Ginco, DMM's wallet-software vendor; operators rode that access to manipulate a legitimate withdrawal request from a DMM employee. DMM ultimately announced closure following the loss.

Trojanized installers of 3CX's desktop softphone application were distributed via 3CX's official channels. Multiple vendors attributed the operation to a Lazarus subcluster (UNC4736 / Labyrinth Chollima), with downstream second-stage targeting observed against cryptocurrency-related entities.

An attacker drained the Ronin cross-chain bridge supporting the Axie Infinity game of approximately 173,600 ETH and 25.5M USDC — roughly $620M at the time. The U.S. Treasury subsequently linked the address to Lazarus Group.

Worm-propagating ransomware leveraging the EternalBlue SMB exploit infected over 200,000 systems in 150+ countries — most notably crippling parts of the UK NHS. The U.S., UK, Australia, and others publicly attributed the outbreak to the DPRK / Lazarus.

Attackers issued fraudulent SWIFT messages from Bangladesh Bank's account at the Federal Reserve Bank of New York, attempting transfers of nearly $1B and successfully moving $81M to accounts in the Philippines. Multiple analyses — including the BAE Systems / SWIFT joint report — link the tradecraft and tooling to Lazarus.

A destructive intrusion at Sony Pictures wiped large portions of the corporate network and leaked unreleased films, employee data, and executive correspondence. The U.S. government formally attributed the operation to North Korea.