North Korean cyberwarfare attacks on the cryptocurrency industry are growing in sophistication, as highlighted in a recent report by crypto firm Paradigm titled “Demystifying the North Korean Threat.” This alarming trend showcases an increase in both the complexity of attacks and the number of groups involved in these criminal activities.
According to the report, North Korea-originated cyberattacks encompass a broad spectrum of tactics, including assaults on cryptocurrency exchanges, social engineering attempts, phishing schemes, and intricate supply chain hijacks. Notably, some of these attacks can take up to a year to unfold, with North Korean operatives exercising patience as they meticulously plan their strategies.
The United Nations estimates that between 2017 and 2023, North Korean hackers managed to accrue an astonishing $3 billion through these cyber exploits. The scope of these attacks has escalated dramatically in 2024, highlighted by successful incursions into prominent exchanges such as WazirX and Bybit, which collectively yielded approximately $1.7 billion for the attackers.
Paradigm’s report identifies at least five key North Korean organizations involved in orchestrating these attacks: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. In addition to these groups, there exists a coalition of North Korean operatives who disguise themselves as IT professionals to infiltrate technology companies around the globe.
High-profile Attacks and Predictable Laundering Methods
The Lazarus Group, perhaps the most notorious of the North Korean hacking factions, is credited with some of the highest profile cyberattacks since 2016, including the hacks against Sony and the Bank of Bangladesh. Their nefarious actions extend to the cryptocurrency sector, where they have executed high-stakes attacks on exchanges such as Youbit and Bithumb in 2017, and orchestrated the disastrous Ronin Bridge exploit in 2022, leading to hundreds of millions in lost assets. Their most infamous operation occurred in 2025 when they stole $1.5 billion from Bybit, sending shockwaves through the cryptocurrency community.
Furthermore, as noted by Chainalysis and other organizations, the Lazarus Group employs predictable money laundering tactics once they secure their hauls. They typically divide the stolen assets into smaller amounts and transfer them to numerous wallets, subsequently converting less liquid cryptocurrencies into more stable options like Bitcoin. In many cases, they retain these ill-gotten gains for extended periods until scrutiny from law enforcement wanes.
To date, the FBI has identified three alleged members of the Lazarus Group, indicting two in February 2021 for their involvement in global cybercrimes.
As the cryptocurrency industry continues to evolve, understanding and defending against these rising threats becomes increasingly critical. It is essential for stakeholders in the sector to remain vigilant and proactive in their cybersecurity measures, as the landscape of potential risks grows more complex and sophisticated with each passing day.
