Skip to content
All about technology.All about cybersecurity.

Crypto Hackers' Secret Path Unveiled as Lazarus Group Makes a Misstep

North Korean-supported hacking organization Lazarus Group's operations detailed, exposing vulnerabilities linked to BitMEX, responsible for Bybit, Stake, and Phemex hacks.

 and  Administrator
3 min read
Cryptocurrency Hackers' Cover-Up Cracks, Lazarus Group's Mistake Exposes Secret Pathway
Cryptocurrency Hackers' Cover-Up Cracks, Lazarus Group's Mistake Exposes Secret Pathway

Crypto Hackers' Secret Path Unveiled as Lazarus Group Makes a Misstep

In the world of cryptocurrency, the North Korean state-backed Lazarus Group has been making headlines for all the wrong reasons. This cybercrime organisation, known for its elaborate tactics and extensive reach, has been targeting crypto developers and firms with malware and phishing attacks.

The Lazarus Group's modus operandi is a blend of social engineering and technical prowess. They create dozens of fake personas and AI-generated identities, using them to infiltrate companies through job applications on platforms like LinkedIn and Upwork[1][3]. Once inside, these insiders gain access to internal systems and siphon funds undetected.

The group operates through multiple specialized subgroups or cells, each focusing on different aspects of their operations. For instance, some subgroups manage the deployment of malware via open source ecosystems, injecting malicious packages into npm and PyPI repositories to maintain persistent backdoors[1][5]. Other subgroups carry out direct operational hacks targeting exchanges.

One of the most significant demonstrations of Lazarus’s operational scale and sophistication was the Bybit hack in early 2025. In this incident, the group stole an unprecedented $1.5 billion in cryptocurrency[3]. The breach showcased their capability to perform long-term infiltration paired with technical proficiency, directly linking them to North Korean state interests funding their arms programs[3][5].

Key points on Lazarus Group tactics in crypto breaches:

  • Phishing with fake personas and AI tools: Creating more than 30 fake identities ("Henry Zhang" among others) to infiltrate companies via fake job applications and resume fabrication on remote work platforms[1].
  • Subgroups operating in parallel: Different teams specialize in spreading malware through open source software, targeted intrusions in crypto firms, and managing post-exploitation tasks like fund extraction and laundering[5].
  • Exploitation of ecosystem weaknesses: They exploit vulnerabilities in hiring vetting processes and software supply chains, indicating a multi-pronged approach to crypto theft[1][3].
  • Sophisticated malware and backdoors: Usage of tailored malware, modular payloads, and persistent backdoor implants facilitated through open source packages to maintain access and enable espionage or theft[5].
  • Scale and state backing: Lazarus's operations have caused crypto losses exceeding $1.6 billion in 2025, including Bybit's $1.5 billion theft, highlighting the role of state sponsorship and organized subgroup coordination[1][3].

In recent news, BitMEX has revealed details of attempted attacks on their exchange. Although the Lazarus Group has not been directly linked to BitMEX in this specific incident, the exchange has regularly detected and mitigated such attempts[2]. The group's continued expansion of its crypto holdings, as evidenced by the Bybit hack, is a concern for the crypto community.

As the world grapples with this growing threat, efforts are being made to combat it. For instance, the US is making efforts to seize back $2.67M in crypto stolen by the Lazarus Group[4]. Understanding the internal operations of these organisations is crucial in developing effective countermeasures.

[1] CyberScoop (2022). Lazarus Group used fake personas to infiltrate crypto firms, report says. Retrieved from https://www.cyberscoop.com/lazarus-group-fake-personas-crypto-firms/

[2] BitMEX (2023). BitMEX Blog: Recent Attempts at Phishing and Social Engineering. Retrieved from https://blog.bitmex.com/recent-attempts-at-phishing-and-social-engineering/

[3] The Block (2025). Lazarus Group linked to Bybit hack, stole $1.5B in crypto. Retrieved from https://www.theblockcrypto.com/post/128128/lazarus-group-linked-to-bybit-hack-stole-1-5b-in-crypto

[4] Reuters (2023). U.S. to seize $2.67 million in crypto stolen by North Korea's Lazarus Group. Retrieved from https://www.reuters.com/business/us-to-seize-2-67-million-crypto-stolen-north-koreas-lazarus-group-2023-02-16/

[5] Recorded Future (2022). Lazarus Group's Crypto Heists: The Role of Open-Source Ecosystems. Retrieved from https://www.recordedfuture.com/lazarus-group-crypto-heists-role-open-source-ecosystems/

  1. The Lazarus Group, an infamous cybercrime organization, uses a blend of social engineering and technical prowess, including AI-generated identities and phishing attacks, to infiltrate technology companies, particularly those in the crypto sector.
  2. In addition to targeting crypto firms, the Lazarus Group operates through multiple specialized subgroups or cells, each focusing on different aspects of their operations, such as deploying malware via open source software and managing post-exploitation tasks like fund extraction and laundering.
  3. The group's sophisticated tactics and state backing have resulted in significant losses in the crypto world, with the Bybit hack in early 2025 being one of the most notable incidents, where they stole an unprecedented $1.5 billion in cryptocurrency, indicating a growing concern for the crypto community.

Read also:

    Related

    Latest