Lazarus Group: North Korean hackers terrorizing the world - history, attacks and keys to their cyberpower

The Lazarus group is once again at the top of the news after Lord Draugr's viral video, but also for starring in the biggest cyber robbery in history in 2025: $1.5 billion in cryptocurrency stolen from the Bybit platform. Considered the most dangerous, sophisticated and profitable hacker group on the planet, Lazarus has a history of attacks that range from global ransomware to the covert funding of the North Korean regime. Discover here everything users are looking for: history, modus operandi, the most resounding attacks, record numbers and keys to defend yourself.

‍

What is the Lazarus group and why is it feared around the world?

• Lazarus is a group of North Korean hacker units, formed, financed and controlled by the Kim Jong-un regime.
• According to BBC and international media, its main objective is generate funds for the North Korean State, strengthen its strategic programs and evade international sanctions by resorting to global cybercrime.
• In 2025, they broke all records: the assault on Bybit is now the biggest cryptocurrency theft in history, reinforcing North Korea as one of the world's leading bitcoin holders.

‍

Evolution, specialization and “modus operandi”

• Lazarus has gone from launching destructive cyberattacks with massive malware (MyDoom, WannaCry) to sophisticated ransomware campaigns, supply chain attacks and, above all, specialized thefts in the sector crypto and financial.
• They use modular malware (MagicRAT, QuiteRAT), “zero-day” vulnerabilities, highly targeted spear-phishing, and watering hole attacks to compromise systems before security patches exist.
• One of their most notable tactics is to infiltrate key employees into platforms or companies through social engineering, as happened in Axie Infinity, Bybit and other recent hacks from large exchanges and DeFi.

‍

Most notorious attacks and record numbers

• Bybit (2025): 1.5 billion dollars stolen in Ethereum, perpetrating the largest crypto cyberattack in history.
• Axie Infinity/Ronin Network (2022): More than 600 million dollars in a single round, through the control of validator nodes.
• Coincheck (2018): 534 million stolen from one of the largest Japanese exchanges.
• WannaCry (2017): The ransomware that paralyzed healthcare systems and companies around the world.
• Bank of Bangladesh (2016): $81 million in typographical errors, but nearly $1 billion at stake.‍
• Attacks on Sony Pictures, Attacks on South Korea, and Global Malware Campaigns.

Especially in 2024-2025, they have initiated supply chain attack campaigns and legitimate software, as well as new evasion, erasure and anti-forensic methods to go undetected and confuse attribution.

‍

Financing a regime and geopolitical challenge

• The Lazarus thefts don't just cause millions of dollars in losses to companies and platforms: according to TRM Labs, they reinforce North Korea's “war economy” and the country's weapons development.
• United Nations figure in billions of dollars the resources that the regime has obtained through hacks since 2021; chanting a cyberthreat that transcends economics to become a global security issue.

‍

Lazarus core techniques

• Custom and modular malware (MagicRAT, QuiteRAT, LPEclient), capable of scaling privileges and maintaining persistence.
• Advanced Spear Phishing: highly personalized emails and messages aimed at key targets; exploitation of human errors.
• Zero-days and Zero-Day Exploits: attacks before there are public patches.
• Watering hole and supply chain attacks: distribute malware through legitimate websites or compromise software used by their objectives.
• Anti-forensics and the use of “false flags”: they manipulate the appearance of the malware to camouflage their authorship and avoid being tracked by changing tools, servers and methods.

‍

Recent campaigns and evolution

• SyncHole (2024-2025): campaign against South Korea that combined watering hole and exploitation of 0-day vulnerability in mandatory financial software in the country. Modularity, stealth and speed were the keys.
• Malware in legitimate software: Lazarus attempts to compromise software vendors and steal source code, as in the attack on the 3CX supply chain and encrypted web tools.
• Innovations in data deletion and denial of service: malware such as KILLMBR, QDDOS and DESTOVER has the mission of making systems inoperative after theft

‍

How to defend yourself against the Lazarus group?

• It implements advanced multilayer defense and segments critical access (not just technologically, but by auditing employees and supplier chains).
• It reinforces change control, rapid system updating and multifactor authentication.
• Regular training in phishing, social engineering and safe practices for the entire team.
• It audits third-party software, monitors abnormal activity and responds immediately to any incident.
• Always check alerts from reference agencies (INCIBE, FBI, Europol).

‍

🛡️ Request your free consultancy with Apolo Cybersecurity and prepare for the attacks of the most feared hacker group in the world

The Lazarus group confirms that the most sophisticated cybercrime of 2025 goes far beyond “viruses” or ransomware: it is a strategic tool of regimes, a global disruption and a permanent challenge for companies, citizens and States. Only resilience, collective intelligence and advanced protection will make it possible to defend against its constant evolution.

‍