Lazarus Group: North Korea’s Cybercrime Syndicate of the Decade
Estimated Reading Time: 6 minutes
Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong. Take 2 minutes to learn more
Most state-backed hackers focus on espionage and sabotage, steering clear of financial crimes. But North Korea’s Lazarus Group has rewritten the rules—merging state objectives with profit. Since 2009, it has targeted banks and crypto exchanges not just to disrupt, but to steal.
Cybercrime as Economic Strategy
Facing global isolation, crippling sanctions, and an economy in crisis, North Korea has turned to cybercrime as a lifeline. Cyber operations offer the regime a way to generate revenue and gain technical knowledge to fuel key state projects, including missile and nuclear weapons programs. Lazarus has become the sharp edge of that strategy—leveraging digital warfare to prop up a regime that’s locked out of global finance.
Notorious Attacks That Shook the World
Lazarus gained global attention in 2014 with its cyberattack on Sony Pictures, retaliating against the film The Interview. Its boldest move came in 2016 with an attempted $1 billion heist from the Central Bank of Bangladesh—ultimately netting $81 million due to a typo.
In 2017, the group launched WannaCry, a ransomware attack that hit over 200,000 systems in 150+ countries. Though it earned only about $150,000 in bitcoin, the global damage was massive. The UK’s NHS was severely affected, with costs estimated at £5.9 million.
A New Kind of Threat
Unlike most state-sponsored hackers, Lazarus blends the motives of a spy agency with the methods of organized cybercrime. The result is a threat actor that doesn’t just steal secrets—it steals assets, wrecks infrastructure, and launders digital wealth at scale. As cyberwarfare evolves, Lazarus stands as a grim example of what happens when desperation, innovation, and state backing collide in cyberspace.
North Korean Hackers: Operating with Unmatched Boldness
North Korean cyber operatives stand out for their boldness and lack of concern over exposure or retaliation. Unlike hackers in countries like Russia or China, they act with impunity, backed and protected by the regime.
Groups like Lazarus operate directly under Kim Jong-un’s government, facing no legal or diplomatic consequences. Their loyalty is often rewarded, further emboldening their actions.
North Korea’s isolation and disregard for international norms give its hackers more freedom than peers in more globally connected states. While Russian groups sometimes retreat under pressure, North Korea is largely immune to outside influence. Its sanctioned status and reliance on cybercrime to fund national goals make its threat actors especially reckless and dangerous.
State-Controlled Cyber Warfare: How North Korea Trains Its Hackers
In North Korea, the concept of free internet is non-existent. The state exercises total control over digital access, making unsanctioned online activity virtually impossible. As a result, North Korea’s cyberattacks are not rogue operations—they are fully orchestrated, approved, and often initiated by the regime itself.
Hackers don’t emerge independently in this environment. They are handpicked and groomed from a young age. Promising children—as young as 11—are scouted for their aptitude and placed in specialized programs. These elite trainees are granted privileges rarely seen in North Korea: spacious apartments, exemption from mandatory military service, and access to elite education. Their role as cyber warriors is clear from the outset—they are state assets.
Training Abroad to Attack the Free Web
But to infiltrate global systems, these hackers must first understand how the open internet works—something they can’t do from inside North Korea. That’s why many are sent to China, the one major power that still maintains a working relationship with Pyongyang. There, they study modern computer networks, programming, and hacking techniques in an environment that mirrors the outside world.
Once trained, they return to work directly for the regime, often under the umbrella of military-affiliated institutions or technical universities. Some are believed to be funneled through military cyber divisions, further blurring the line between cybercrime and national defense.
Lazarus Expands Its Scope: New Targets, Same Agenda
North Korea’s cyber campaigns, led by the Lazarus Group, have traditionally targeted adversaries like South Korea and the U.S., focusing on government, defense, and financial sectors.
By the mid-2020s, Lazarus expanded its scope to biotech firms and academic institutions researching COVID-19—likely aiming to steal data to aid North Korea’s own vaccine efforts.
More recently, the group has begun targeting transportation and logistics sectors, possibly to exploit or disrupt global supply chains amid pandemic-driven demand and price surges.
No End in Sight for Lazarus Operations
Despite sanctions, indictments, and diplomatic pressure, North Korea’s Lazarus Group remains active. In 2020, the U.S. charged three North Korean hackers with stealing over $1.3 billion in digital assets—but prosecution remains unlikely, and deterrence minimal.
Diplomacy hasn’t worked either. Hopes for improved ties during the Trump administration faded quickly, with cyberattacks continuing even after the 2018 U.S.–North Korea summit.
Today, cyberwarfare is central to Pyongyang’s strategy. Backed by the regime, Lazarus serves both as a tool of espionage and a vital source of revenue under sanctions. It’s not a rogue actor—it’s a state asset.
With no accountability and no incentive to comply with global norms, Lazarus remains a growing, embedded threat. And it’s not going away anytime soon.
