Nation-State high North Korea (DPRK)

Lazarus Group

North Korean state-sponsored (RGB) · Financial theft / espionage / sanctions evasion

Reports 1

Active Since 2009

Last Reported 21 May 2026

Sectors Targeted finance, legal-professional

Tactics, Techniques & Procedures (TTPs)

TraderTraitor LinkedIn fake job offer social engineering
Trojanised developer tools, npm packages, and GitHub repositories
Cryptocurrency exchange hot wallet targeting
SWIFT financial messaging system compromise
AppleJeus macOS malware for crypto platforms
Supply chain software poisoning

Known Targets

Cryptocurrency exchanges and DeFi platformsBanks using SWIFT messagingDefence contractorsLaw firms with digital asset clientsSouth Korean government and industry

Analyst Notes

Operates under North Korea's Reconnaissance General Bureau (RGB). Estimated $3B+ stolen in cryptocurrency since 2017, used to fund DPRK weapons programmes. WannaCry 2017 attributed to Lazarus. The Bybit exchange theft in February 2025 — $1.5 billion — is the largest single cryptocurrency theft on record, executed via a compromised Safe{Wallet} developer.

Also Known As

Hidden CobraZINCGuardians of PeaceUNC577Diamond Sleet

MITRE ATT&CK Techniques

T1566.002 Phishing: Spearphishing Link T1195.002 Supply Chain Compromise: Compromise Software Supply Chain T1204.002 User Execution: Malicious File T1486 Data Encrypted for Impact T1041 Exfiltration Over C2 Channel

Intelligence Reports

Briefing financelegal-professional

Lazarus Group Extends Cryptocurrency Targeting to UK Exchanges and Law Firm Custodians

North Korea's Lazarus Group has extended its cryptocurrency theft operations to UK-regulated digital asset exchanges and the law firms that provide custody and compliance services to crypto clients — combining financial theft with intelligence collection.

21 May 2026 · 5 min read