Hack,heist,and havoc: The Lazarus Group’s triple threat to global cybersecurity

Abstract

The Lazarus Group, a North Korean state-sponsored cyber threat actor, has become a significant player in cybersecurity. This case study examines the group’s cyber operations through a structured analysis of their techniques and tactics, which include social engineering, malware injection, disruption, evasion, and espionage. By progressing through these stages, the Lazarus Group combines human factor exploitation with technical prowess to execute high-impact campaigns, such as hacking, theft, and widespread disruption. This case classifies these campaigns into espionage, financial heists, and destructive operations, advancing North Korea’s strategic interests while exposing critical vulnerabilities in global cybersecurity. The analysis reveals how the interplay between human and organisational weaknesses, alongside systemic technical vulnerabilities, enables these large-scale cybercrimes. Key lessons are drawn from these operations, emphasising the necessity of addressing human and technical factors in cybersecurity frameworks. Furthermore, the case highlights the broader societal effects of cyberattacks, especially on critical infrastructure, and underscores the global impact of cybercrime. To counter such sophisticated threats, this study stresses the importance of international cooperation, cybersecurity awareness, and a comprehensive approach that addresses human and technical vulnerabilities.

Keywords

State-sponsored cybercrime cyber espionage cryptocurrency heists advanced persistent threats (APT)social engineering attacks

Introduction

The Lazarus Group, a North Korean state-sponsored cyber threat actor, has become a significant presence in the constantly evolving digital security landscape (Gulyás, 2022; Kálnai, 2023; Shevchenko et al., 2018). This organisation’s notoriety arises from bold cyberattacks that impact global sectors, including financial institutions, cryptocurrency exchanges, and entertainment companies. Their operations display sophistication and adaptability that challenge traditional views of cybercrime, prompting a reassessment of digital threats. The group’s activities cover a wide range, including financial theft, espionage, destructive attacks, and cyber extortion. Their cyber security operations offer valuable insights into the complex nature of modern cyber threats.

At the heart of the Lazarus Group’s success lies their mastery of sophisticated spearphishing techniques. Kim et al. (2020) emphasise how this approach has become central to their operations. This reveals the significant vulnerability of human factors even in highly secure systems. The group’s shift towards cryptocurrency theft, shown by their involvement in over two dozen crypto hacks between 2020 and 2023, highlights the changing nature of financial crime in the digital era. O’Neill (2024) notes that these activities serve a dual purpose: generating revenue for the North Korean regime while bypassing international sanctions. This interconnection between state interests and cybercrime challenges established international law and diplomacy frameworks, blurring the boundaries between state-sponsored actions and criminal enterprises.

The Lazarus Group’s operations reveal the complex interaction between human error and technical exploitation in cybersecurity. The notorious Sony Pictures hack in 2014 is a clear example of how a well-crafted phishing email can lead to severe breaches. These activities impacted financial damage and significant reputational harm (Baezner, 2018). Similarly, the bold Bangladesh Bank heist in 2016, which led to the theft of $81 million, exposed the weaknesses within global financial systems that can be skilfully exploited through social engineering and technical expertise (Gulyás, 2022). The WannaCry ransomware attack in 2017 further demonstrated the group’s capacity to wreak widespread havoc. Mitchell (2018) vividly describes how this attack paralysed systems across 150 countries, impacting critical infrastructure such as the UK’s National Health Service. This attack highlighted the potential for cyber operations to transcend digital boundaries and affect tangible services and human lives.

Beyond explaining the Lazarus Group’s technical capabilities, this case study provides insights into the human factors behind North Korea’s cyber operations. The nation’s political and economic isolation has created an environment where elite hackers are trained and deployed under strict government control, often without their consent (Park, 2022). This aspect complicates our understanding of the motivations and constraints operating within state-sponsored cyber threat actors.

Examining the complex web of the Lazarus Group’s operations raises critical questions about the future of cybersecurity, the need for international cooperation, and the ethical challenges of state-sponsored cyber activities. This case study illustrates the evolving nature of cyber threats and highlights the urgent need for a comprehensive, human-focused approach to cybersecurity in our interconnected world. The Lazarus Group’s actions not only test our technical defences but also compel us to confront the complex relationship between geopolitics, technology, and human factors in the digital age.

Overview of Lazarus Group

The Lazarus Group, a notorious Advanced Persistent Threat organisation, has become the focal point of intense scrutiny and analysis by cybersecurity experts, government agencies, and researchers worldwide since its emergence in 2009. This sophisticated cybercrime syndicate, widely linked to the North Korean government, has captured global attention through a series of high-profile cyber assaults that have reverberated across diverse sectors globally (Baezner, 2018; Falk and Ringenberg, 2018; Kim et al., 2020; O’Neill, 2024). A growing body of evidence points to the group’s affiliation with the North Korean government. This evidence suggests that the group operates as a state-sponsored entity. While not definitively proven, this connection is supported by circumstantial and direct evidence that paints a compelling picture of state sponsorship.

The group’s infamy stems from its involvement in landmark incidents that have left an indelible mark on the digital domain, such as the Sony Pictures Entertainment hack, the Bangladesh Central Bank heist, and the WannaCry ransomware attack (Bartlett, 2020; Kálnai, 2023). Such incidents highlight the group’s technical virtuosity and capacity to orchestrate complex, multi-layered cyber operations with far-reaching ramifications. The complex set of clues covers the organisational structure, goals, target selection, and technical traces, each piece reinforcing the evidence of state involvement.

At its core, the Lazarus Group is an arm of North Korea’s Reconnaissance General Bureau, a pivotal military intelligence division (Park, 2022). This affiliation provides crucial insight into the group’s underlying motivations and operational objectives. The group’s activities are not merely random acts of cybercrime but calculated manoeuvres aligned with the strategic interests of the North Korean regime. Furthermore, the group’s subunits, including APT37, APT38, and Bluenoroff, have been recognised by the U.S. Department of the Treasury as extensions of the Lazarus Group. This illustrates North Korean cyber operations’ complex and hierarchical nature (Bartlett, 2020; Kim et al., 2020). This sophisticated structure mirrors the organisation of state-sponsored intelligence agencies, lending credence to the theory of government backing.

The driving forces behind the Lazarus Group’s cyber activities are multifaceted and deeply intertwined with North Korea’s geopolitical and economic circumstances. Primarily, the group’s operations serve to circumvent the stringent international sanctions imposed on North Korea (Gulyás, 2022; Siers, 2017). These sanctions have severely constrained North Korea’s ability to generate revenue through conventional means. The circumstance then pushes the regime to explore alternative avenues for financial gain. In this context, cybercrime has emerged as a lucrative and relatively low-risk strategy for the cash-strapped regime to acquire much-needed foreign currency (Klinger, 2021).

The targets and motivations of the Lazarus Group’s attacks provide another layer of evidence supporting state sponsorship. The group has consistently targeted entities that align with North Korea’s geopolitical and economic interests. For instance, they have repeatedly attacked the South Korean government, military, and defence industry entities, as well as financial institutions and cryptocurrency exchanges (Kálnai, 2023; O’Neill, 2024). These targets suggest a level of strategic planning and intelligence gathering that is characteristic of state-sponsored cyber operations. The pattern of attacks reveals a focus on objectives that would benefit a nation-state rather than a purely profit-driven criminal enterprise.

Technical analysis of the Lazarus Group’s malware and attack infrastructure has yielded compelling evidence of North Korean involvement. Cybersecurity firms such as Symantec and Kaspersky have identified code overlap between malware attributed to the Lazarus Group and other North Korean cyber tools (Mitchell, 2018). This shared code suggests a common origin or resource pool indicative of state-level coordination. Additionally, researchers have traced the group’s attack infrastructure to the internet protocol (IP) addresses in countries known to host North Korean cyber operatives, including China, Malaysia, and Indonesia (Baezner, 2018). These technical fingerprints link the group’s operations and North Korean state resources, further solidifying the connection.

The North Korean regime views cyber warfare as an ‘all-purpose sword’ that provides relentless offensive capabilities (Kálnai, 2023). This perspective emphasises the strategic importance of cyber operations in North Korea’s broader military and political calculus. The Lazarus Group’s activities, therefore, can be seen as an extension of North Korea’s asymmetric warfare strategy. These activities allow the regime to project power and influence disproportionate to its conventional military and economic capabilities (Stent, 2018). The group’s cyberattacks are characterised by their sophistication and adaptability. They employ diverse tactics, techniques, and procedures to infiltrate target systems and evade detection, including spear phishing, watering hole attacks, exploitation of zero-day vulnerabilities, and supply chain compromises (Park, 2022; Raska, 2020).

The Lazarus Group’s activities often blur the lines between state-sponsored cyber operations and organised cybercrime. Their attacks exhibit characteristics aligned with various threat actor profiles, including organised cyber criminals, nationalistic hacktivists, cyber vandals, and nation-state-backed entities (Mavroeidis et al., 2021). This polymorphic nature adds another layer of complexity to attributing and countering their operations. The impact of the Lazarus Group’s activities extends far beyond immediate financial losses or data breaches. Their operations can disrupt critical infrastructure, undermine trust in financial systems, and escalate geopolitical tensions.

While the evidence supporting the Lazarus Group’s state sponsorship is substantial, it is essential to note that definitive proof remains elusive due to the inherent challenges of cyber attribution. Falk and Ringenberg (2018) caution that correct attribution in cyberspace can be complex and somewhat circumstantial. The nature of digital operations allows for sophisticated obfuscation techniques, making absolute certainty a rare commodity. The cumulative weight of technical, operational, and geopolitical evidence, however, strongly suggests that the Lazarus Group operates with the support and direction of the North Korean government, making it one of the most prominent examples of state-sponsored cyber threat actors in the contemporary digital landscape.

Lazarus Cyber Operations Techniques and Tactics

The Lazarus Group has carved a niche in the digital underworld through its sophisticated and diverse cyberattack techniques. From social engineering to advanced malware deployment, the Lazarus Group’s arsenal spans various tactics carefully crafted to exploit technology and human behaviour vulnerabilities as can be seen in Figure 1. This arsenal can be viewed as a structured sequence of attack stages, beginning with social engineering as the initial point of entry, where human vulnerabilities are exploited to gain system access. Once access is obtained, the group escalates its efforts through malware injection, implanting malicious code that grants further control and enables persistent access. As the operation progresses, disruption tactics come into play, disabling the target’s critical functions to divert attention or inflict damage.

Figure 1.

Network graph visualisation of Lazarus Group cyber operations.

Lazarus employs evasion and anti-forensics techniques to secure their presence and evade detection. These methods help the group maintain a foothold within the compromised system, concealing their activity by erasing traces and making forensic investigations difficult. This sequence of tactics ultimately serves the Lazarus Group’s overarching objective: achieving their espionage goals. In this final stage, the group capitalises on their established access to extract valuable information, whether for political, military, or financial advantage. Each stage, namely, social engineering, malware deployment, disruption, evasion and anti-forensics, and cyber espionage, represents a critical tactic in Lazarus Group’s repertoire, illustrating their adaptability and sophistication in executing state-sponsored cyber operations.

Social engineering

At the forefront of the Lazarus Group’s arsenal stands spearphishing, a targeted form of social engineering that has proven effective in their campaigns. Kim et al. (2020) emphasise the group’s reliance on this technique, which involves sending crafted emails containing malicious attachments or links. These digital lures serve as vectors for executing various malicious activities, from malware distribution to file deletion and corruption of master boot records. The sophistication of these spearphishing attempts is evident in their use of various file extensions to conceal malicious code. This technique highlights the group’s adeptness at evading detection mechanisms. It also exploits the human element in cybersecurity, often proving to be the weakest link in even the most fortified digital defences.

The Lazarus Group’s operations also extend into psychological warfare and misdirection. Klinger (2021) notes their engagement in cyber-psychological warfare and the use of false flag operations to misdirect attribution efforts. This multifaceted approach to cyber operations shows the group’s awareness of the broader geopolitical landscape and their skill in using psychological tactics to enhance the effects of their technical attacks. The Lazarus Group adds further complexity to their powerful toolkit by shaping perceptions and creating confusion.

Malware development

Building upon this social engineering foundation, the Lazarus Group has expanded its repertoire to include more advanced techniques. O’Neill (2024) notes the group’s proficiency in deploying malware, conducting watering hole attacks, and exploiting zero-day vulnerabilities. This tactic diversification demonstrates the group’s ability to adapt to evolving cybersecurity landscapes and target various vulnerabilities in their victims’ systems. The group’s malware deployment strategies are noteworthy for their sophistication and effectiveness. Baezner (2018) explains the use of various malware families by the Lazarus Group, including the Castov malware for credential theft and backdoor installation, as well as the destructive Destover wiper malware. This diverse malware toolkit enables the group to maintain a persistent presence in compromised systems while evading detection, showcasing their technical prowess and strategic thinking.

The financial motivation behind many of the Lazarus Group’s operations has led to developing specialised techniques for monetary gain. Park (2022) describes the group’s involvement in ransomware attacks, digital bank heists, and cryptojacking schemes. The deployment of the virtual hard disk (VHD) ransomware strain exemplifies the group’s capacity to develop and utilise novel malware for financial extortion. Furthermore, Kim (2022) describes the group’s engagement in fraudulent bank transfers and attacks on cryptocurrency platforms, illustrating their adaptability to emerging financial technologies. This focus on financial targets demonstrates the group’s profit-driven motives and ability to navigate and exploit complex financial systems.

Supply chain attacks are another advanced tactic in the Lazarus Group’s toolkit. Kálnai (2023) notes the group’s propensity for trojanising open-source projects and performing software supply-chain attacks. This approach allows the group to compromise a wide range of targets by infiltrating trusted software distribution channels, which has proven particularly effective in bypassing traditional security measures. By targeting the supply chain, the Lazarus Group demonstrates a strategic understanding of maximising the impact of their attacks, potentially compromising numerous organisations through a single breach.

Disruption

In addition to these targeted attacks, the Lazarus Group has demonstrated proficiency in large-scale disruptive techniques. Distributed Denial-of-Service (DDoS) attacks feature prominently in their arsenal, showcasing a significant evolution in their capabilities. These attacks are intended to overwhelm target systems, causing widespread disruption and often serving as a smokescreen to divert attention from concurrent, more targeted intrusions.

Baezner (2018) describes how Lazarus has integrated DDoS tactics to temporarily disable or cripple critical infrastructure, revealing their growing expertise in leveraging network bandwidth exhaustion to cripple target servers and obstruct essential online services. This strategic use of DDoS is often a preliminary phase, setting the stage for more complex manoeuvres (Baezner, 2018). Similarly, Gulyás (2022) discusses the Lazarus Group’s deployment of DDoS attacks as a high-impact method to disturb the operations of financial institutions and media outlets. This paper underscores the group’s inclination to apply DDoS not only as a disruptive tool but as a method to threaten sectors critical to national security and public trust (Gulyás, 2022).

O’Neill (2024) takes a broader perspective on Lazarus’s tactical use of DDoS attacks to overwhelm systems during coordinated attacks on banks, government services, and cryptocurrency exchanges. By launching intense traffic floods, these attacks can cause significant service outages, allowing Lazarus operatives to mask secondary operations such as data exfiltration or malware insertion under the guise of service disruptions (O’Neill, 2024). Huber et al. (2020) further explore the Lazarus Group’s use of IoT and other compromised devices in launching DDoS attacks, revealing how they can weaponise vast networks of vulnerable systems to amplify their attack capabilities. This research illustrates how Lazarus has effectively utilised compromised IoT devices to perform extensive, persistent DDoS campaigns that can destabilise both public and private networks, underscoring the sophistication and scale of their cyber operations (Huber et al., 2020).

Collectively, these studies highlight the Lazarus Group’s extensive capacity to orchestrate coordinated, large-scale DDoS attacks that can target specific sectors or cause widespread digital chaos, showcasing their ability to exploit vulnerabilities across entire networks or industries to fulfil their strategic objectives.

Evasion and anti-forensics

The technical sophistication of the Lazarus Group is further evidenced by their use of advanced evasion and anti-forensics techniques. Gulyás (2022) describes the group’s employment of commercially available protectors for their tools, anti-forensics techniques, and disk wipers to obliterate traces of their activities. This approach to covering their tracks complicates attribution efforts and hampers incident response and forensic analysis by targeted organisations. Such tactics reveal a deep understanding of forensic processes and a commitment to operational security that rivals advanced intelligence agencies.

Cyber espionage

In cyber espionage, the Lazarus Group has shown a habit of carrying out persistent and secretive operations. Raska (2020) outlines their use of watering hole attacks exploiting Active-X vulnerabilities and targeted attacks on security and IT asset management systems. These techniques allow the group to maintain long-term access to high-value targets, facilitating ongoing intelligence gathering and data exfiltration. The group’s ability to blend legitimate tools with malicious intent is particularly noteworthy. Shevchenko et al. (2018) describe the Lazarus Group’s use of known malware tools like bitsran.exe and msmpeng.exe, designed to spread malicious payloads and establish persistence mechanisms. Using legitimate system tools for malicious purposes highlights the group’s cleverness in avoiding detection and blending into the target environment.

Operation Dream Job is another cyber espionage campaign attributed to Lazarus Group that targeted the defence, aerospace, government, and other sectors in the United States, Israel, Australia, Russia and India.¹ The attackers used fake job lures to trick victims into opening malicious documents, which led to the installation of malware on their systems. The campaign was part of a broader umbrella of operation, including Operation North Star² and Operation In(ter)ception,³ which shared similar tactics, techniques and procedures (TTPs). Although the Operation Dream Job campaign was primarily associated with cyber espionage, it was also used as one of the tactics used by Lazarus Group in the Indodax $20.5M heist⁴ where one of their full-time employees was offered a high-paid freelance job, and then a new type of malware infected the employee’s laptop and further infiltrated the company’s server.⁵

The Lazarus Group’s sophisticated techniques form the backbone of various well-coordinated cyber campaigns. By systematically progressing through each stage, that is, social engineering, malware deployment, disruption, evasion, and espionage, the group leverages a comprehensive toolkit that enables both short-term impacts, such as financial theft or system disruption, and long-term objectives, such as intelligence gathering. These tactics are not only individually powerful but also synergistic, creating an adaptable framework for cyber operations that advance North Korea’s strategic and economic interests on a global scale. In the following section, we examine how these techniques serve as essential components within distinct types of cyber operations, each tailored to meet specific geopolitical, financial, and intelligence-driven goals.

Lazarus Cyber Attack Strategic Campaigns

The cyber operations of the Lazarus Group, a state-sponsored organisation associated with North Korea, encompass a complex and multifaceted strategy that can be synthesised into three primary categories: Espionage, Financial Theft, and Destructive Attacks. These categories reflect the diversity of their technical operations and the wide-ranging motives, both financial and political, behind their attacks.

Hack: Espionage in the shadows

The Lazarus Group’s hacking operations serve as the foundation for their more elaborate schemes, with espionage at the core of their activities. This state-sponsored cyber entity primarily targets political, military, and corporate entities to acquire sensitive information that bolsters North Korea’s geopolitical position. Espionage, far from being a mere byproduct of Lazarus’ criminality, is the beating heart of their operations, serving North Korea’s ambitions to gain leverage on the world stage. Lazarus uses spearphishing and social engineering to infiltrate important systems, aiming to steal information that can quickly boost the nation’s technology and military strength. This espionage, while less financially motivated than their other activities, is deeply intertwined with the regime’s political and military objectives, forming a crucial pillar of North Korea’s cyber strategy.⁶

The group’s espionage campaigns typically focus on acquiring intellectual property, trade secrets, or classified information from various industries such as defence, aerospace, and technology. These operations are carefully planned and executed, employing the same methods used in their financial theft operations: spearphishing attacks and sophisticated social engineering techniques. Unlike financial theft, where the goal is to steal monetary assets, however, espionage aims to gain access to critical information that North Korea can leverage to develop its technology or enhance its military capabilities (Raska, 2020). A prime example of this can be seen in the group’s attacks on defence contractors and governmental organisations, often stealing blueprints, defence technologies, and even missile system designs (Klinger, 2021). By acquiring these susceptible materials, Lazarus Group helps North Korea bridge the technological gap with more advanced countries, ensuring that the regime can maintain its defensive and offensive capabilities in the global arena.

The Lazarus Group’s notoriety was cemented through high-profile attacks showcasing their technical prowess and audacity. The Sony Pictures hack in 2014, triggered by the release of the film ‘The Interview’, marked their rise as a formidable cyber threat (Campbell, 2017). This operation involved infiltrating Sony’s systems and leaking confidential emails, unreleased films, and sensitive employee data. The hack, in retaliation for the film’s content, employed wiper malware to destroy vast amounts of data, effectively paralysing the company’s operations for an extended period. In 2016, Lazarus executed a bold attack on Bangladesh Bank, manipulating the SWIFT network to initiate fraudulent money transfers (Francavilla, 2018). This strategy was later replicated in an attack on the Bank of Valletta in Malta, demonstrating the group’s ability to refine and reuse successful tactics.

The WannaCry ransomware attack of 2017 further highlighted the Lazarus Group’s technical capabilities and global reach (Hern and MacAskil, 2017). This operation exploited a vulnerability in Microsoft Windows, infecting computers worldwide and demanding Bitcoin ransoms. WannaCry was particularly notable for its ability to spread automatically from computer to computer without requiring users to click on malicious links. This auto-spreading feature, combined with the use of a stolen NSA exploit known as EternalBlue, made WannaCry one of the most feared cyberattacks of its time, demonstrating the group’s ability to weaponise sophisticated tools and techniques (Prevezianou, 2021).

During the 2018 Winter Olympics, the Olympic Destroyer hack exemplified the Lazarus Group’s use of sophisticated malware and false flag operations. This attack disrupted IT systems and created geopolitical confusion by masking the group’s true identity, demonstrating their ability to operate in complex geopolitical landscapes.⁷ Additionally, the group’s 2020 hacks on cryptocurrency platforms such as KuCoin, Unibright, and CoinBerry further demonstrated their advanced technical expertise.⁸ In the KuCoin hack, they breached exchange infrastructure, leveraging weaknesses in security protocols to access large amounts of digital assets. The Unibright hack involved a private key compromise, allowing them to drain funds from wallets, showcasing their ability to bypass traditional authentication mechanisms. The CoinBerry hack exploited vulnerabilities in the platform’s software, illustrating their capacity to infiltrate systems through weaknesses in coding and platform architecture.⁹

The stolen data acquired through these operations serves dual purposes for the North Korean regime. Beyond supporting military advancements, it also significantly leverages diplomatic exchanges (Bartlett, 2020). Access to classified information from other governments or corporations offers North Korea a considerable advantage in geopolitical negotiations, particularly in nuclear disarmament talks or trade agreements. This multifaceted approach emphasises the intricate web of cyber operations that serve financial and political agendas, highlighting the Lazarus Group’s role as a sophisticated arm of the North Korean state. Their activities blur the lines between cybercrime and state-sponsored espionage, presenting a complex challenge to international cybersecurity efforts and geopolitical stability.

Heist: Financial crimes in the digital age

At the centre of the Lazarus Group’s operations is focussing on financial gain, with cryptocurrency becoming a primary target in recent years. The group’s activities primarily target cryptocurrency exchanges, decentralised finance (DeFi) platforms, and high-value individuals. Their involvement in over 25 crypto hacks between 2020 and 2023 illustrates their expertise in exploiting digital assets¹⁰ (Yun, 2024). This focus on cryptocurrency demonstrates the group’s ability to adapt to new financial technologies and exposes the weaknesses within these systems.

One of the most notable examples of their financial theft is the Bangladesh Bank attack, where they attempted to steal $1 billion and successfully transferred $81 million before being stopped (Zetter, 2016). A similar attempt involved €13 million ($14.7 million) from the Bank of Valletta; this attack reflected (Arena, 2023) the group’s complex strategy that combines theft, sabotage, and political coercion. These high-profile incidents reveal how the group targets flaws in traditional banking, elevating their activities beyond simple cybercrime to state-sponsored financial warfare.

Once assets are stolen, the Lazarus Group uses various money-laundering tactics to hide the origin of their funds. A key tool is Tornado Cash, a protocol that obscures the source of cryptocurrency by mixing it with other assets, complicating efforts to trace the funds back to their source¹¹ (Greig, 2024; Knight, 2024). This process often leads to P2P marketplaces like Paxful and Noones, where digital currency is converted into fiat, helping North Korea bypass sanctions and sustain its economy, highlighting challenges for regulators in the cryptocurrency age. Their technical skills are further demonstrated by the 2018 Cosmos Bank heist in India, where ATMs across 28 countries were manipulated to dispense cash, resulting in losses exceeding $14 million. This operation used cloned credit cards and money mules, showing the group’s ability to execute coordinated, multinational schemes^12,13.

The 2020 CoinBerry hack is another example of their methods. By exploiting software vulnerability, they stole $370,000 in Bitcoin and Ethereum, with the theft only becoming public during a lawsuit in 2022.¹⁴ Similarly, their theft of $400,000 from Unibright team wallets by compromising private keys shows their tactics: accessing private keys or system flaws, followed by rapid movement of assets through decentralised exchanges. These cases illustrate the specific vulnerabilities in cryptocurrency platforms and the difficulties victims face in identifying and reporting breaches. One of their most significant thefts was the 2020 KuCoin hack, where the group stole over $300 million in digital currencies, later laundered through mixing services. This attack highlighted the vast scale of potential losses in cryptocurrency exchanges and the risks posed by state-sponsored actors in this space.¹⁵

Beyond the digital space, Macau is a key site for money-laundering and smuggling activities. The city’s gambling establishments have been used by North Korean operatives (Carvalho, 2017; Pomfret, 2017). Macau’s reputation as a gambling hub and its ties to organised crime make it a practical location for the group’s schemes.¹⁶

The 2024 Indodax $20.5M to $22M¹⁷ hack, one of Indonesia’s biggest crypto exchanges, shows another technique in their crypto assets heist. Instead of exploiting the hot wallet to gain access to the private keys, they compromised the signature machine that is responsible for authorising and verifying the transactions.¹⁸ In addition, forensic investigation revealed an interesting fact: the attack was coming from one of its engineers’ laptops, which had been infected by malware through Operation Dream Job. The malware was not detected by an antivirus scan, and it infected the Indodax server. This attack showcased their various attack TTPs, from social engineering to zero-day malware and important system compromises.

The motivation behind these attacks goes beyond financial gain. They are driven by North Korea’s need to bypass international sanctions and fund its economy. By funnelling significant amounts of laundered money into the country, Lazarus plays a critical role in maintaining North Korea’s economic position despite sanctions. Their activities reflect a combination of financial gain and political objectives, complicating the efforts of law enforcement and regulatory bodies to distinguish between criminal and state-sponsored actions.

Havoc: Destruction as a means of power

While financial theft and espionage often drive the Lazarus Group’s cyber operations, their activities also extend to destructive attacks aimed at causing widespread disruption and damage. These attacks frequently target organisations or entities that conflict with North Korea’s interests, blending financial motives with political objectives. The group uses destructive attacks to send messages, exert control, or retaliate against perceived adversaries. Unlike theft or espionage, these operations aim to inflict damage rather than generate profit. They typically involve deploying malware or ransomware that destroys data or locks systems, crippling the victim’s ability to function. Such attacks can destabilise financial markets, cause panic, and lead to significant economic consequences for the targeted country or organisation.

The Sony Pictures attack in 2014 exemplifies the group’s approach to destructive operations. This attack went beyond financial damage, inflicting reputational harm and creating fear among companies that could be targeted for their stance against North Korea. The breach had a significant psychological impact on Sony’s employees, whose private information was exposed^19,20. Though driven by financial theft, the Bangladesh Bank attack also displayed elements of a destructive operation. The scale and sophistication of the attempt disrupted Bangladesh’s financial system, blurring the lines between financial and destructive motives. Much of the stolen money disappeared into the casino industry in the Philippines, illustrating the group’s methods for laundering funds.²¹

The 2017 WannaCry ransomware attack marked a turning point in cybercrime and remains one of the most impactful cyberattacks in history. The malware spread rapidly, locking data and causing widespread disruption globally, including to the UK’s National Health Service (NHS), where surgeries were cancelled and emergency patients were diverted. Affecting nearly 250,000 computers in over 150 countries, the attack raised questions about whether the true motive was financial or aimed at demonstrating North Korea’s cyber capabilities on a global scale.²² During the 2018 Winter Olympics in Pyeongchang, South Korea, a cyberattack known as ‘Olympic Destroyer’ targeted IT systems at the event. Initially attributed to North Korea, it was later revealed to be a Russian operation intended to frame Lazarus. This incident highlighted the complexities of international cyber warfare, where attribution is challenging, and misdirection adds further complications to cybersecurity efforts.²³

Cyber extortion is another critical component of Lazarus Group’s destructive tactics (Shushan et al., 2021). The group uses ransomware to lock or encrypt victims’ data, demanding a ransom for the decryption key. These attacks typically infiltrate networks through phishing or software vulnerabilities. Once inside, the ransomware encrypts data, rendering it inaccessible until the ransom, often paid in cryptocurrency, is met. Victims include hospitals, financial institutions, and critical infrastructure entities that are particularly vulnerable to data loss and more likely to pay to avoid severe disruptions.

What sets Lazarus Group’s ransomware operations apart is their focus on cryptocurrency payments, taking advantage of the relative anonymity and difficulty in tracing blockchain transactions. This approach ensures that the group can receive payments undetected, aligning with their broader goal of bypassing sanctions and funnelling funds into North Korea’s economy. In cases where the ransom is not paid, the group threatens to release sensitive data or sell it on the dark web, adding further pressure to their extortion methods. These operations show the group’s deep understanding of cyber warfare’s technical and psychological aspects, leveraging fear and uncertainty to achieve their objectives. Table 1 summarise the hack, heist and havoc activities performed by Lazarus Group.

Table 1.

Overview of Lazarus Group’s Cyber Operations: Categories, Methods, and Motives.

Category	Description	Key Methods	Notable Attacks	Motives
Hack	Espionage in the shadows, targeting political, military, and corporate entities to acquire sensitive information.	Spearphishing, social engineering, infiltrating systems to steal intellectual property and classified information.	Sony Pictures Hack (2014); Bangladesh Bank (2016); Bank of Valletta (2019); Attacks on defence contractors and governmental organisations to steal blueprints and missile designs.	Gaining geopolitical leverage, fast-tracking technology and military advancements, negotiating power.
Heist	Financial theft, primarily targeting cryptocurrency exchanges, DeFi platforms, and high-value holders.	Exploiting software vulnerabilities, private key compromise, money-laundering via Tornado Cash and decentralised platforms.	Bangladesh Bank (2016); Cosmos Bank (2018); Bank of Valletta (2019); CoinBerry hack (2020), Unibright theft (2020); KuCoin Hack (2020)	Circumventing international sanctions, generating revenue to sustain the North Korean economy.
Havoc	Destructive attacks aimed at causing widespread disruption and damage to entities challenging North Korea’s interests.	Deploying ransomware, wiper malware, disrupting operations, demanding ransom payments in cryptocurrency.	Sony Pictures (2014), Bangladesh Bank (2016), WannaCry ransomware attack (2017), Olympic Destroyer Attack (2018 Winter Olympics)	Inflicting maximum damage, advancing political objectives, demonstrating North Korea’s cyber capabilities.

Lessons Learnt from Lazarus Group Cyber Operations

The Lazarus Group’s cyber operations highlight the complex interplay between human factors and technical exploits, illustrating how these elements converge to enable large-scale cybercrimes. From high-profile incidents like the Sony hack and Bangladesh Bank heist to the widespread WannaCry ransomware attack, the Lazarus Group’s actions reveal that cybersecurity threats stem from vulnerabilities in human behaviour and sophisticated technical capabilities. This section explores lessons learnt from these attacks from two perspectives: human and organisational weaknesses and technical vulnerabilities. Each perspective includes an analysis of human factors – such as trust, awareness, and decision-making – and technical exploits, such as system flaws and malware deployment. While the sub-headings classify the attacks based on the primary entry points, each type reflects a combination of human and technical vulnerabilities. This dual approach reinforces that successful cyber defence must address both perspectives comprehensively to mitigate the full spectrum of modern cyber threats.

Human and organisational weakness

Human error and social engineering are frequent elements in Lazarus attacks, showing how cybercriminals often take advantage of psychological weaknesses rather than relying solely on sophisticated malware. The Sony hack is a clear example of where hackers accessed the company’s systems through phishing emails, exploiting trust and curiosity. This incident illustrates how human error, such as misplaced trust or failure to recognise phishing, can lead to significant breaches^24,²⁵. These attacks highlight the need for human-centred cybersecurity measures, including practical training and awareness programs.

Organisational culture and leadership decisions also significantly affect cybersecurity, as seen in the Bangladesh Bank heist. Poor communication and inadequate investment in security left the bank exposed. Hackers exploited technical weaknesses in the SWIFT messaging system to steal millions, but human factors were equally critical, with missed red flags and outdated security protocols playing a role.²⁶ The pattern of exploiting human and technical vulnerabilities is evident in other Lazarus operations. In the Cosmos Bank hack, the group manipulated internal systems to gain control over ATMs, allowing unauthorised withdrawals without PINs.²⁷ Table 2 describes the human vulnerabilities exploited by the Lazarus Group.

Table 2.

Human and Organisational Weaknesses Exploited in Lazarus Group Cyber Operations.

Aspect	Human Vulnerabilities	Technical Capabilities
Social Engineering	• Susceptibility to phishing emails	• Sophisticated phishing campaigns
	• Misplaced trust	• Ability to craft convincing malicious emails
	• Failure to recognise phishing attempts
Organisational Culture	• Poor communication	• Exploitation of outdated systems
	• Lack of investment in cybersecurity	• Ability to identify and target weak points in organisational structure
	• Failure to maintain up-to-date security protocols
Training and Awareness	• Lack of comprehensive cybersecurity training	• Exploitation of human error
Training and Awareness	• Insufficient awareness of cyber threats	• Ability to bypass human-centric security measures
False Flag Operations	• Difficulty in accurate attribution of cyberattacks	• Use of false flags to mislead investigators
False Flag Operations		• Sophisticated techniques to hide true origins

Technical vulnerabilities

North Korea’s cyberattacks are driven by the country’s political and economic isolation, with the regime relying on cybercrime to bypass sanctions and fund its military programs. The regime trains elite hackers, often selecting the brightest students and controlling them through coercive means, including threats to their families. This system shows the complex human dynamics of state-sponsored cybercrime, where hackers often act under duress, reflecting the darker aspects of these operations^28,²⁹.

The WannaCry ransomware attack highlights the risks of automated malware and the impact of human negligence. Exploiting vulnerability in Microsoft Windows, WannaCry spread across networks without user interaction. The attack’s scale was amplified by organisations failing to apply security patches, despite warnings from Microsoft. The Lazarus Group’s operations span multiple countries, showing that cybercrime crosses borders and often involves networks of human actors, such as money mules in financial thefts. The Bangladesh Bank heist involved laundering stolen money through casinos in the Philippines, illustrating how international financial systems can be manipulated. Addressing such crimes requires coordinated global efforts between governments, law enforcement, and cybersecurity experts. The broader impact of the Lazarus Group’s activities extends beyond financial loss. The WannaCry attack disrupted UK hospitals, leading to cancelled surgeries and emergency patient diversions, demonstrating how cyberattacks can affect public health and safety.

The group’s technical skills are further demonstrated by using false flags to mislead investigators, as seen in the Olympic Destroyer attack. This tactic emphasises the need for advanced investigation techniques and a careful approach to attribution. The financial proceeds from these cybercrimes are believed to support North Korea’s weapons programs, illustrating the high stakes and geopolitical implications of these activities. Table 3 outlines the technical capabilities exploited by the Lazarus Group.

Table 3.

Technical Vulnerabilities Targeted by the Lazarus Group in Cyber Operations.

Aspect	Human Vulnerabilities	Technical Capabilities
System Vulnerabilities	• Failure to apply security patches	• Exploitation of known software vulnerabilities (e.g. WannaCry)
System Vulnerabilities	• Negligence in system updates	• Development of sophisticated malware
Financial Systems	• Poor oversight of financial transactions	• Manipulation of SWIFT financial messaging system
Financial Systems	• Inadequate security protocols in banking systems	• Ability to authorise fraudulent transactions
Geopolitical Factors	• Exploitation of international financial systems	• Global reach of cyber operations
Geopolitical Factors	• Manipulation of human networks across borders	• Ability to conduct attacks spanning multiple countries
State-Sponsored Activities	• Coercion of individuals into cybercrime	• Access to state resources for training and operations
State-Sponsored Activities	• Exploitation of political and economic isolation	• Ability to recruit and train elite hackers
Critical Infrastructure	• Inadequate protection of essential services	• Capability to disrupt critical services (e.g. healthcare)
Critical Infrastructure	• Underestimation of cyber threats to public safety	• Development of ransomware affecting vital systems
Automated Threats	• Over-reliance on automated systems	• Creation of self-propagating malware (e.g. WannaCry)
Automated Threats	• Lack of human oversight in critical processes	• Ability to exploit system vulnerabilities without human interaction

Conclusion

The Lazarus Group case study offers profound insights into the complex landscape of modern cybersecurity threats. It demonstrates the critical interplay between human vulnerabilities and advanced technical capabilities in facilitating large-scale cybercrimes. The group’s diverse operations, spanning financial theft, espionage, destructive attacks, and cyber extortion, highlight the multifaceted nature of cyber threats and their challenges to global security frameworks. The case emphasises the importance of a holistic approach to cybersecurity that addresses both technical vulnerabilities and human factors. It also emphasises the need for international cooperation in combating cyber threats that transcend national boundaries. As cyber operations evolve, the lessons drawn from the Lazarus Group’s activities serve as a crucial guide for policymakers, organisations, and individuals in fortifying their defences against sophisticated cyber threats.

Discussion questions

1. How does the Lazarus Group’s state-sponsored nature reshape our understanding of cyber threats and global power dynamics? Consider the implications for economic stability, technological competition between nations, and the evolving nature of geopolitical influence in the digital age.

2. Given the Lazarus Group’s exploitation of technical vulnerabilities and human factors, how might organisations and governments need to reconceptualise their approach to cybersecurity? What would a genuinely holistic cybersecurity strategy look like, and what challenges might arise in its implementation?

3. The Lazarus Group’s activities blur the lines between financial crime, espionage, and acts of war. How might this convergence of motives and methods necessitate reevaluating global security paradigms? Consider the potential impacts on international cooperation, intelligence sharing, and the role of private sector entities in national security.

4. What key lessons can be drawn from the Lazarus Group’s operations regarding the interplay between human and technical vulnerabilities? How can these insights inform future cybersecurity training and policy development to better prepare organisations against sophisticated, state-sponsored cyber threats?

Footnotes

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Faculty of Information Technology at Monash University and Action Lab, Australia.

ORCID iD

Arif Perdana

Notes

Author biographies

Arif Perdana specialises in digital strategy and data science and has over a decade of experience at institutions like the University of Queensland, Singapore Institute of Technology, and Aarhus University. As Director of the Action Lab Indonesia since 2022, his research focuses on responsible AI, blockchain, machine learning, and digital strategy across finance, education, and healthcare. He has secured funding from high-profile institutions in Australia, Singapore, and Indonesia, advancing digital strategy research. Arif has conducted numerous workshops in Singapore and Indonesia and has spoken at global information systems and technology venues. His work has been published in leading journals and presented internationally.

Muhamad Erza Aminanto received bachelor’s and Master’s degrees in electrical engineering from the Bandung Institute of Technology (ITB), Indonesia, in 2013 and 2014, respectively, and a PhD degree from the School of Computing, Korea Advanced Institute of Science and Technology (KAIST), South Korea, in 2018. He is currently an assistant professor at Monash University Indonesia’s cyber security program. He was a researcher at the National Institute of Information and Communications Technology (NICT), Tokyo, Japan, in AI x Security and a lecturer at the University of Indonesia (UI) in cybercrime. He is also a Senior Research (Data) Scientist at Jakarta Smart City and the advisory board for several government and private organisations. His current research interests include information security, artificial intelligence, anomaly detection, intrusion detection, cybersecurity, digital transformation and smart city.

Bayu Anggorojati is an Assistant Professor in Cyber Security at Monash University, Indonesia. He holds a PhD in Access Control for IoT and Cloud systems and a Master’s Degree in Mobile Communication from Aalborg University, Denmark, in 2015 and 2007, respectively. During his appointment as a research associate at Aalborg University, Bayu was involved in several European-funded projects in RFID middleware, telehealth for elderly people, and IoT Cloud platforms. Before joining Monash Indonesia, he was a lecturer at the Faculty of Computer Science at Universitas Indonesia (UI). His research interests include computer networks and security, information security, blockchain, the security aspect of machine learning, the human aspect of cybersecurity, and security education.

References

Arena

(2023, April 16) BOV Hacker links to North Korea exposed in New BBC Podcast. Times of Malta. https://timesofmalta.com/article/bov-hacker-links-north-korea-exposed-new-bbc-podcast.1025564.

Baezner

(2018) Cyber Disruption and Cybercrime: Democratic People’s Republic of Korea. ETH Zurich, 32. [Application/pdf] DOI: 10.3929/ETHZ-B-000314511.

Bartlett

(2020) Exposing the Financial Footprints of North Korea’s Hackers. Center for a New American Society. https://www.cnas.org/publications/reports/exposing-the-financial-footprints-of-north-koreas-hackers.

Campbell

(2017, May 17) Why we shouldn’t be surprised if North Korea launched the WannaCry ransomware cyberattack. Time. https://time.com/4781809/ransomware-attack-north-korea-wannacry/.

Carvalho

(2017, May 6) How Macau became North Korea’s window to the world... And its Nexus for Weapons and Drugs Trafficking. myNews. https://www.scmp.com/week-asia/geopolitics/article/2093189/how-macau-became-north-koreas-window-world-and-its-nexus.

Falk

Ringenberg

(2018) Classifying cyber threat actors using an ontological approach. https://www.infinite-machines.com/classifying-threat-actors.pdf.

Francavilla

(2018, May 3) The billion-dollar bank job. New York Times. https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html.

Greig

(2024, March 16) Lazarus Group hackers appear to return to Tornado Cash for money laundering. The Record. https://therecord.media/lazarus-group-north-korea-tornado-cash-money-laundering.

Gulyás

(2022) “Lazarus” The North Korean hacker group. In: STRATEGIES XXI: The Complex and Dynamic Nature of the Security Environment, 75–83. DOI: 10.53477/2668-6511-22-08.

10.

Hern

MacAskil

(2017, June 16) WannaCry ransomware attack “linked to North Korea.”. The Guardian. https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group.

11.

Huber

Hristozov

Ott

, et al. (2020, October) The lazarus effect: healing compromised devices in the internet of small things. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 6–19.

12.

Kálnai

(2023) Lazarus campaigns and backdoors in 2022–2023. Virus Bulletin Conference.

13.

Kim

(2022) North Korea’s cyber capabilities and their implications for international security. Sustainability 14(3): 1744. DOI: 10.3390/su14031744.

14.

Kim

Y.-K

Lee

M.-H

, et al. (2020) Analysis of the asymmetrical relationships between state actors and APT threat groups. In: 2020 International Conference on Information and Communication Technology Convergence (ICTC), 695–700. DOI: 10.1109/ICTC49870.2020.9289506.

15.

Klinger

(2021) North Korean Cyberattacks: A Dangerous and Evolving Threat (Special Report No. 247: Asian Studies Center). The Herritage Foundation.

16.

Knight

(2024, March 14) North Korean hackers used Tornado cash to launder $12M from heco bridge hack: elliptic. CoinDesk. https://www.coindesk.com/business/2024/03/14/north-korean-hackers-used-tornado-cash-to-launder-12m-from-heco-bridge-hack-elliptic/.

17.

Mavroeidis

Hohimer

Casey

, et al. (2021) Threat actor type inference and characterization within cyber threat intelligence. In: 2021 13th International Conference on Cyber Conflict (CyCon), 327–352. DOI: 10.23919/CyCon51939.2021.9468305.

18.

Mitchell

(2018) Ransomware characteristics by country. https://www.cs.tufts.edu/comp/116/archive/fall2018/jmitchell.pdf.

19.

O’Neill

(2024) Countering North Korean Cybercrime and its Enablers. Lawfare. https://www.lawfaremedia.org/article/countering-north-korean-cybercrime-and-its-enablers.

20.

Park

(2022) Evading, hacking & laudering for nukes: North Korea’s financial cybercrimes & the missing silver bullet for countering them. Fordham International Law Journal 675. Available at: https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=2843&context=ilj.

21.

Pomfret

(2017, February 16) Kim Jong Un’s murdered half brother lived quiet, open life in Macau. Reuters. https://www.reuters.com/article/world/kim-jong-uns-murdered-half-brother-lived-quiet-open-life-in-macau-idUSKBN15V0QC/.

22.

Prevezianou

(2021) WannaCry as a creeping crisis. In: Boin

Ekengren

Rhinard

(eds) Understanding the Creeping Crisis. Berlin: Springer International Publishing, 37–50. DOI: 10.1007/978-3-030-70692-0_3.

23.

Raska

(2020) North Korea’s evolving cyber strategies: continuity and change. SIRIUS – Zeitschrift Für Strategische Analysen 4(2): 1–13. DOI: 10.1515/sirius-2020-3030.

24.

Shevchenko

Abu Bakar

Wong

(2018) Taiwan Heist: Lazarus Tools and Ransomware. BAE System Threat Research Blog. https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html.

25.

Shushan

Lifshitz

Kushnir

, et al. (2021) Lazarus Group’s Mata Framework Leveraged to Deploy TFlower Ransomware. Sygnia. https://www.sygnia.co/threat-reports-and-advisories/lazarus-groups-mata-framework-leveraged-to-deploy-tflower-ransomware/.

26.

Siers

(2017) North Korea: the cyber wild card 2.0. Journal of Law and Cyber Warfare 6(1).

27.

Stent

(2018) The great cyber game. New Zealand International Review 43(5): 6–9.

28.

Yun

(2024, April 22) Lazarus Group’s favorite exploit revealed—Crypto hacks analysis. Cointelegraph. https://cointelegraph.com/magazine/north-korean-hackers-private-keys-flash-loan-attacks/.

29.

Zetter

(2016, May 17) That insance, $81M Bangladesh Bank heist? Here’s what we know. Wired. https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/.