Lazarus Group: Inside North Korea's $6.75B Crypto Theft
North Korean state hackers account for 76% of 2026's crypto hack losses. Here's how the Lazarus Group operates and what makes these attacks different.
North Korea's Lazarus Group has stolen more cryptocurrency than any other entity in history. TRM Labs attributed 76% of all crypto hack losses in 2026 — through April — to DPRK-linked actors, with the cumulative total since 2017 now exceeding $6.75 billion. The Bybit hack in February 2025 added $1.5 billion alone. The Drift Protocol attack in April 2026 added $285 million more. These are not opportunistic smash-and-grabs. They are the output of a disciplined intelligence operation with a single mission: fund North Korea's weapons program through systematic theft from the crypto industry.
From Exchange Raids to Protocol Infiltration
The group's early campaigns targeted centralized exchanges — Bithumb, Youbit, and Coincheck — between 2017 and 2019, netting hundreds of millions through credential theft and administrative account compromise. The methods were relatively direct: spear-phishing, credential stuffing, and exchange-level system intrusions that exploited weak internal access controls.
The escalation came when Lazarus shifted focus to DeFi bridges and protocols. Ronin Network, the Ethereum sidechain backing Axie Infinity, lost $625 million in March 2022 after attackers compromised five of nine validator private keys through a months-long targeted phishing operation. Harmony's Horizon Bridge lost $100 million three months later through a similar multisig key compromise. The shift was deliberate: DeFi bridges hold concentrated pools of assets secured by a small number of signing keys, and getting those keys requires targeting the engineers who hold them — not finding a bug in the code.
The attack surface moved from code to people. Smart contract audits, regardless of quality, do not protect against an attacker who already controls the administrator's keystore.
| Year | Target | Loss | Primary Method |
|---|---|---|---|
| 2022 | Ronin Network | $625M | Validator key phishing |
| 2022 | Harmony Horizon | $100M | Multisig key theft |
| 2023 | Atomic Wallet | $100M | Malware |
| 2024 | DMM Bitcoin | $308M | Private key theft |
| 2025 | Bybit | $1.5B | Social engineering + signing |
| 2026 | Kelp DAO | $292M | Bridge message forgery |
| 2026 | Drift Protocol | $285M | Six-month social engineering |
The escalation in individual incident size tracks the shift from technical exploits toward targeting signing authority. The bridge-side mechanics behind the Kelp DAO attack — specifically how forged cross-chain messages bypassed verification — are covered in DeFi Bridge Exploits.
The 2026 Playbook: Six Months to Drain $285 Million
The Drift Protocol hack, disclosed in April 2026, is the clearest example of how Lazarus now operates at scale. The drain of $285 million took roughly 12 minutes to execute. The preparation took six months.
The operation started in fall 2025 with a sustained social engineering campaign targeting Drift's protocol signers and administrative personnel. Investigators described direct engagement over several months, including in-person interactions. Attackers did not search for a vulnerable line of code. They built enough familiarity with key personnel to position themselves for signing authority when the moment came.
Two techniques appear repeatedly across 2026 incidents:
- ClickFix: Attackers pose as colleagues or technical support during fake online meetings. When a victim encounters an apparent problem — a video call that won't load, a document that fails to open — they're prompted to paste a command into their Mac terminal to resolve it. The command installs malware that grants remote access to corporate systems and private key stores.
- Fake recruiter campaigns: Lazarus-linked operatives have applied for remote engineering roles at crypto firms for years. The operation has since evolved: they now run fake recruiting processes targeting existing protocol engineers, posing as investors or hiring managers for prominent Web3 companies, to extract credentials, source code access, and VPN sessions.
These campaigns look like normal professional interaction for months before any financial transaction occurs. By the time suspicious behavior becomes visible, the attacker has already collected what they need to execute.
In June 2026, the Humanity Protocol hack used a simpler version of the same model: malware on a developer's machine collected stored credentials and private keys, which were then used to drain $36 million. No protocol flaw was involved — only access to one engineer's compromised workstation.
What Separates a State Actor
Most DeFi exploits move fast. An attacker identifies a contract vulnerability, times the exploit around market conditions, and executes within hours or days. Defenders have a narrow window to detect and block before the funds clear.
State-sponsored operations work on a fundamentally different timeline. Drift required six months of active relationship-building before the final step. North Korea's IT worker infiltration program — in which operatives apply for legitimate remote roles at crypto and tech companies — involves workers who spend a year or more inside target organizations before acting on their access. A supply chain attack attributed to suspected DPRK actors in March 2026 involved malicious code embedded in software packages used by thousands of US companies, positioned as a long-range access mechanism rather than an immediate drain.
Patience is the primary operational advantage. An organization that detects unusual activity and terminates an actor's access may simply restart the clock. The financial resources and organizational continuity behind a state intelligence program do not expire the way an individual attacker's motivation does.
The scale of this shift is visible in aggregate data. Account compromise now accounts for more than 50% of all DeFi attacks by incident count in 2026, surpassing traditional smart contract exploits for the first time according to Chainalysis. That figure reflects what Lazarus and similar groups have demonstrated: that infrastructure and personnel are significantly softer targets than well-audited code. Security processes built around code review have not kept pace with attack vectors built around people.
How Stolen Funds Move After a Hack
The laundering sequence following a major Lazarus theft follows a consistent pattern. Within hours of a successful drain, funds move rapidly across chains — typically bridged to Ethereum first, where liquidity and routing options are greatest. The goal is creating enough distance from the origin chain before compliance teams and law enforcement can coordinate a freeze request across exchanges.
After the U.S. sanctioned Tornado Cash in 2022 and Sinbad.io in 2023, Lazarus shifted its primary laundering flows to cross-chain bridges and exchange-adjacent services including eXch. THORChain — which enables native swaps between chains without wrapped tokens or intermediary contracts — became a primary route because its architecture makes tracing harder than standard bridge flows. TRM Labs data shows bridge-related laundering activity rose 66% between 2023 and 2025, while mixer-related activity fell 37% over the same period.
The conversion process is designed to outlast interdiction attempts. After the Bybit hack, investigators tracked stolen ETH moving through THORChain to Bitcoin, then through a series of peer-to-peer exchanges before reaching DPRK-controlled wallets. The full conversion spanned weeks. On-chain analysis firms can reconstruct these paths retrospectively, but real-time blocking requires simultaneous coordination across multiple chains, jurisdictions, and exchange compliance desks — a coordination problem that currently favors the attacker. Large fund movements linked to Lazarus-associated addresses often surface in on-chain activity before exchanges can flag them. The Whale Tracker logs significant on-chain movements as they happen.
For protocol teams, the core implication is that smart contract security is necessary but no longer sufficient. Signing key management, personnel access controls, and social engineering awareness — understanding how ClickFix works, verifying recruiter and counterparty identities before entering technical discussions, keeping private keys in hardware signers that require physical confirmation — address the vector behind the largest losses in 2026. Individual users face a different version of the same threat model: as covered in Clipper Malware, malware targeting personal machines can capture keys stored in browser extensions and software wallets without touching any protocol vulnerability. A hardware wallet that requires physical confirmation for every outbound signing transaction removes the software layer attackers need to silently authorize transfers.