Democratic People's Republic of Korea
State-sponsored cryptocurrency theft operations primarily conducted by the Lazarus Group, responsible for over $5.2 billion in stolen cryptocurrency since 2017.
207
Active Wallets
$5.20B
Total Stolen
11
Clusters
25
Active Alerts
Bybit Exchange - $1.46B Stolen (Largest Crypto Hack Ever)
Lazarus Group has executed the largest cryptocurrency hack in history, draining 401,346 ETH ($1.46 billion) from Bybit's cold wallet through multisig UI manipulation. Funds are currently being dispersed across multiple wallets.
Executive Summary
North Korea has emerged as the most prolific nation-state actor in cryptocurrency theft, with DPRK-linked hackers stealing over $5.2 billion in cryptocurrency since 2017. These operations are primarily attributed to the Lazarus Group, a state-sponsored hacking collective that operates under the Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency.
2024-2025 Attack Pattern: Lazarus has shifted focus to exploiting multisig wallet implementations and UI manipulation attacks on major exchanges, culminating in the historic $1.46B Bybit hack in February 2025.
Key attack vectors:
- Cross-chain bridge exploits (Ronin, Harmony, Orbit)
- Multisig/Safe UI manipulation attacks
- Social engineering via fake job offers
- Supply chain attacks (TraderTraitor, AppleJeus)
Laundering techniques:
- Tornado Cash (pre-sanction stockpiles)
- THORChain cross-chain swaps
- YoMix & eXch mixers
- Peel chains and rapid dispersion
The stolen funds ultimately support North Korea's nuclear and ballistic missile programs, with the UN estimating cryptocurrency theft provides up to 50% of DPRK's foreign currency earnings.
Major Incidents (11 confirmed)
| Incident | Date | Victim | Amount | Status | Attribution |
|---|---|---|---|---|---|
| Bybit Cold Wallet Hack NEW Cold wallet multisig UI manipulation | 2025-02-21 | Bybit Exchange Cryptocurrency Exchange | $1.46B | ACTIVE | confirmed |
| Ronin Bridge Hack Validator key compromise via social engineering | 2022-03-23 | Ronin Network / Axie Infinity Blockchain Bridge | $620.00M +$30.00M recovered | LAUNDERING | confirmed |
| DMM Bitcoin Hack Private key compromise | 2024-05-31 | DMM Bitcoin Exchange Cryptocurrency Exchange | $308.00M | LAUNDERING | confirmed |
| WazirX Hack Multisig Safe UI manipulation | 2024-07-18 | WazirX Exchange Cryptocurrency Exchange | $230.00M | LAUNDERING | confirmed |
| Poloniex Hack Hot wallet compromise | 2023-11-10 | Poloniex Exchange Cryptocurrency Exchange | $125.00M | LAUNDERING | confirmed |
| Harmony Horizon Bridge Multisig compromise (2-of-5) | 2022-06-23 | Harmony Protocol Blockchain Bridge | $100.00M | LAUNDERING | confirmed |
| Atomic Wallet Hack Software supply chain compromise | 2023-06-03 | Atomic Wallet Users Desktop Wallet | $100.00M | LAUNDERING | confirmed |
| HTX/Heco Bridge Hack Simultaneous hot wallet and bridge attack | 2023-11-22 | HTX Exchange / Heco Bridge Exchange & Bridge | $99.00M | LAUNDERING | confirmed |
| Orbit Chain Hack Bridge multisig compromise | 2024-01-01 | Orbit Chain Blockchain Bridge | $82.00M | LAUNDERING | confirmed |
| CoinEx Hack Hot wallet key compromise | 2023-09-12 | CoinEx Exchange Cryptocurrency Exchange | $54.00M | LAUNDERING | confirmed |
| Stake.com Hack Hot wallet private key leak | 2023-09-04 | Stake.com Casino Crypto Casino | $41.00M | LAUNDERING | confirmed |
DPRK Wallet Clusters
View All Clusters →Ronin Bridge Cluster
DPRK-RONIN-2022 $620.00M
Total Volume
86
Wallets
Harmony Horizon Cluster
DPRK-HARMONY-2022 $100.00M
Total Volume
42
Wallets
Atomic Wallet Cluster
DPRK-ATOMIC-2023 $100.00M
Total Volume
156
Wallets
CoinEx Hot Wallet Cluster
DPRK-COINEX-2023 $54.00M
Total Volume
38
Wallets
Stake.com Cluster
DPRK-STAKE-2023 $41.00M
Total Volume
24
Wallets
Poloniex Hot Wallet Cluster
DPRK-POLONIEX-2023 $125.00M
Total Volume
52
Wallets
Threat Actors
Lazarus Group
HIGH CONFIDENCE FBI, CISA, DOJAlso known as: HIDDEN COBRA, Guardians of Peace, APT38, BlueNoroff, Stardust Chollima, Zinc, Diamond Sleet
$3.50B
Estimated Volume
Primary North Korean state-sponsored hacking group responsible for cryptocurrency heists exceeding $3 billion since 2017. Operates under the Reconnaissance General Bureau (RGB).
First Observed
2009
Active Wallets
127
Last Activity
2025-02-20
Primary Targets
5 categories
Tactics
Primary Targets
Malware
APT38 / BlueNoroff
HIGH CONFIDENCE FBI, NSAAlso known as: BlueNoroff, Stardust Chollima, Sapphire Sleet, CryptoCore
$1.10B
Estimated Volume
Financially motivated subset of Lazarus, focused on cryptocurrency theft and banking fraud. Specializes in social engineering attacks targeting crypto employees.
First Observed
2014
Active Wallets
43
Last Activity
2025-02-18
Primary Targets
4 categories
Tactics
Primary Targets
Malware
Andariel / Silent Chollima
HIGH CONFIDENCE FBIAlso known as: Silent Chollima, Onyx Sleet, PLUTONIUM, DarkSeoul
$200.00M
Estimated Volume
RGB-affiliated group involved in ransomware operations and cryptocurrency extortion. Also known to target healthcare and defense sectors.
First Observed
2015
Active Wallets
15
Last Activity
2025-01-30
Primary Targets
4 categories
Tactics
Primary Targets
Malware
Kimsuky
HIGH CONFIDENCE CISA, NSAAlso known as: Emerald Sleet, Velvet Chollima, Black Banshee, APT43, Thallium
$150.00M
Estimated Volume
North Korean espionage group that has expanded into cryptocurrency theft. Known for targeting South Korean crypto exchanges and researchers.
First Observed
2012
Active Wallets
22
Last Activity
2025-02-10
Primary Targets
4 categories
Tactics
Primary Targets
Malware
Designated Wallets
21 addresses tracked| Address | Chain | Entity | Cluster | Received | Source |
|---|---|---|---|---|---|
| ethereum | Lazarus Group - Ronin Primary 2022-04-14 | DPRK-RONIN-2022 | $620.00M | ofac | |
| ethereum | Lazarus Group - Ronin Layering 1 2022-04-22 | DPRK-RONIN-2022 | $180.00M | ofac | |
| ethereum | Lazarus Group - Ronin Layering 2 2022-04-22 | DPRK-RONIN-2022 | $125.00M | ofac | |
| ethereum | Lazarus Group - Harmony Primary 2023-04-24 | DPRK-HARMONY-2022 | $100.00M | ofac | |
| ethereum | Lazarus Group - Harmony Layering 2022-06-25 | DPRK-HARMONY-2022 | $45.00M | research | |
| ethereum | Lazarus Group - Atomic ETH Primary 2023-06-05 | DPRK-ATOMIC-2023 | $35.00M | fbi | |
| bitcoin | Lazarus Group - Atomic BTC Primary 2023-06-05 | DPRK-ATOMIC-2023 | $28.00M | fbi | |
| tron | Lazarus Group - Atomic TRX Primary 2023-06-05 | DPRK-ATOMIC-2023 | $22.00M | fbi | |
| ethereum | Lazarus Group - CoinEx Primary 2023-09-12 | DPRK-COINEX-2023 | $28.00M | research | |
| ethereum | Lazarus Group - Stake Primary 2023-09-06 | DPRK-STAKE-2023 | $25.00M | fbi | |
| ethereum | Lazarus Group - Poloniex ETH 2023-11-11 | DPRK-POLONIEX-2023 | $56.00M | research | |
| tron | Lazarus Group - Poloniex TRX 2023-11-11 | DPRK-POLONIEX-2023 | $42.00M | research | |
| ethereum | APT38 - HTX/Heco Primary 2023-11-23 | DPRK-HECO-2023 | $50.00M | research | |
| bitcoin | Lazarus Group - DMM BTC Primary 2024-06-15 | DPRK-DMMBIC-2024 | $125.00M | fbi | |
| bitcoin | Lazarus Group - DMM BTC Secondary 2024-06-01 | DPRK-DMMBIC-2024 | $95.00M | research |
These addresses include OFAC-designated wallets and FBI-identified addresses. Transactions with these addresses may violate U.S. sanctions laws.
Integrate DPRK Threat Data
Access North Korea threat intelligence via our free API
curl -X GET "https://api.nsctip.com/v1/nations/north-korea" \
-H "X-API-Key: YOUR_API_KEY"