Connect with us

Hi, what are you looking for?



North Korean Hackers Have Stolen Over $3 Billion in Cryptocurrency: Report

Recorded Future calculates that North Korean state-sponsored threat actors are believed to have stolen more than $3 billion in cryptocurrency.

North Korea Kimsuky sanctioned

North Korean threat actors are believed to have stolen more than $3 billion in cryptocurrency to date, according to a report from threat intelligence firm Recorded Future.

Collectively tracked as the Lazarus Group, the North Korean hackers specialize in cryptocurrency-related intrusions, mainly relying on spear-phishing emails to trick victims into authorizing malicious scripts and downloading malware.

In 2021, the hackers were observed targeting the cross-chain bridges of cryptocurrency platforms, compromising validator keys used to sign transactions. Starting 2022, Lazarus was seen using strategic web compromise as the initial access vector, trojanized DeFi applications, a fake cryptocurrency application for Android, and supply chain compromise.

The stolen amounts, Recorded Future notes in a new report (PDF), have increased significantly over time, with 2023 believed to be the most prolific year for Lazarus.

In 2017, the group stole at least $80 million from various South Korean cryptocurrency exchanges, but is believed to have siphoned more than $1.7 billion in 2022, when it hit Ronin Network ($600 million), Harmony ($100 million), Qubit Finance ($80 million), and Nomad ($190 million), among others.

This year, the North Korean hackers were blamed for multiple highly profitable cryptocurrency heists, including the Atomic Wallet, Alphapo, CoinEx, CoinsPaid, and incidents.

Lazarus is believed to be responsible for a cyberattack on US-based enterprise software company JumpCloud, which provides an Active Directory replacement, likely to set up future attacks on the company’s cryptocurrency clients.

To move the stolen assets, the hackers have “developed an extensive money-laundering network” that includes cryptocurrency mixers and money mules.

Advertisement. Scroll to continue reading.

The US government has sanctioned three mixers (Blender, Tornado, and Sinbad) and tens of individuals for laundering billions in assets for the North Korean regime. Roughly half of the laundered money are believed to fund the country’s ballistic missiles program.

“North Korean threat actors also use the accounts and personal information of phishing victims to register verified accounts at trusted cryptocurrency exchanges where they can send the stolen cryptocurrency and cash out,” Recorded Future added.

Related: US Sanctions North Korean Cyberespionage Group Kimsuky

Related: FBI: 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers

Related: US Offers $10 Million for Information on North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.