How North Korea Steals Crypto (Lazarus Group)
๐ 9 min read
Quick Answer
One of the most prolific thieves in financial history is not a person or a gang โ it is a nation-state. North Koreaโs state-backed Lazarus Group has stolen more than $6 billion in cryptocurrency since 2017, and in 2026 accounted for an estimated 76% of all crypto stolen worldwide. The UN says the money funds the regimeโs weapons and missile programs.
โ ๏ธ Why this matters
For most thieves, the goal is to get rich. For North Korea, crypto theft is national policy โ a way to sidestep global sanctions and finance a nuclear-armed state. That makes Lazarus uniquely persistent, well-resourced, and patient.
Who is the Lazarus Group?
Lazarus is an umbrella for North Korean state-sponsored hacking units (tracked by the US as TraderTraitor, and overlapping with names like APT38). Backed by the government, they operate with resources and patience ordinary criminals cannot match.
The scale
Cumulative crypto theft attributed to North Korea now exceeds $6 billion since 2017. Their share of global crypto-hack losses has climbed relentlessly: under 10% in 2020โ21, 22% in 2022, 39% in 2024, 64% in 2025, and roughly 76% in 2026 โ the highest on record.
Where the money goes
Multiple UN Panel of Experts reports conclude that North Korea uses stolen crypto to fund a significant share of its weapons programs, including ballistic missiles. Crypto theft has become a core tool for evading international sanctions.
How they get in
Their two main routes are social engineering (fake job offers and recruiters that trick employees into running malware) and supply-chain attacks (compromising the software or infrastructure a target depends on). The Bybit hack used the latter.
๐ Key takeaway
North Korea has turned crypto theft into state policy โ $6B+ stolen since 2017, ~76% of all 2026 crypto-hack losses, funding its weapons programs. Lazarus is patient, state-funded, and relentless.
What it means for you
Lazarus repeatedly targets Asian exchanges and users, and uses fake job offers aimed at crypto and tech workers across the region. Knowing their playbook โ especially the fake-recruiter scam โ is real-world protection for anyone working in or investing through Asian crypto.
Frequently asked questions
Why does North Korea steal crypto instead of money?โผ
Crypto can be stolen remotely, moved across borders instantly, and laundered to evade the sanctions that cut North Korea off from the traditional banking system. It is sanctions evasion at scale.
Is my personal wallet a target?โผ
Lazarus mostly targets large exchanges, bridges and crypto employees for maximum payoff, but their malware-laden "job offers" and fake apps can hit individuals too. Never run software or sign transactions from unsolicited contacts.
Who tracks all this?โผ
Blockchain-intelligence firms (TRM Labs, Chainalysis), the FBI, and the UN Panel of Experts document and attribute these thefts using on-chain analysis and intelligence.