{ "id": "d45ab6bb-f7ac-482b-a07f-76dc057d9c2b", "created_at": "2026-04-06T00:07:53.523221Z", "updated_at": "2026-04-10T13:11:55.258176Z", "deleted_at": null, "sha1_hash": "245479f590681a637f06bc4c586771a45092cfec", "title": "FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com | Federal Bureau of Investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42865, "plain_text": "FBI Identifies Lazarus Group Cyber Actors as Responsible for\r\nTheft of $41 Million from Stake.com | Federal Bureau of\r\nInvestigation\r\nArchived: 2026-04-05 14:46:59 UTC\r\nThe FBI is issuing this release to warn the public regarding the theft of approximately $41 million in virtual\r\ncurrency from Stake.com, an online casino and betting platform. The FBI has confirmed that this theft took place\r\non or about September 4, 2023, and attributes it to the Lazarus Group (also known as APT38) which is comprised\r\nof DPRK cyber actors.  \r\n The FBI investigation has revealed that DPRK cyber actors moved stolen funds associated with the Ethereum,\r\nBinance Smart Chain (BSC), and Polygon networks from Stake.com into the following virtual currency\r\naddresses:  \r\nAddress Network\r\n0x94f1b9b64e2932f6a2db338f616844400cd58e8a      Ethereum\r\n0xba36735021a9ccd7582ebc7f70164794154ff30e       Ethereum\r\n0xbda83686c90314cfbaaeb18db46723d83fdf0c83       Ethereum\r\n0x7d84d78bb9b6044a45fa08b7fe109f2c8648ab4e      Ethereum\r\n0xff29a52a538f1591235656f71135c24019bf82e5   BSC\r\n0x0004a76e39d33edfeac7fc3c8d3994f54428a0be BSC\r\n0xbcedc4f3855148df3ea5423ce758bda9f51630aa    BSC\r\n0xe03a1ae400fa54283d5a1c4f8b89d3ca74afbd62    BSC\r\n0x95b6656838a1d852dd1313c659581f36b2afb237    BSC\r\n0xa2e898180d0bc3713025d8590615a832397a8032    Polygon\r\n0xa26213638f79f2ed98d474cbcb87551da909685e    Polygon\r\nbc1qfesn3jj65fhmf00hh45ueql8je8jae6ep3qk84   Bitcoin\r\nbc1qtalh4l8qc0p2qw70axxjhwu9z7rm93td5sgsl3   Bitcoin\r\nbc1qlq3s8hgczfe62yt94xqasdr5ftuuyrc5kgvpwr Bitcoin\r\nbc1qy78e6ml7f3p438jqrrlzsewx625y0sr7jsesa7 Bitcoin\r\nhttps://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom\r\nPage 1 of 3\n\nbc1qqa682d2q0wtx5gfpxh4yfl9s4k00ukakl5fpk5 Bitcoin\r\nbc1qmqgkxzzfzjqepptw9xzxy03672xg55q559fmvr Bitcoin\r\nbc1qdjmwm8q74r0yx99nghaeu33xdmz3lqnt2uspqv Bitcoin\r\nbc1qrqv5f7jxhp67jcgk9wv5jx4795wlntvhdz2a7j Bitcoin\r\nbc1q82gvk20m08uctmmr97p2mqyxtyh6xf68rwe0t9 Bitcoin\r\nbc1q8y9wc2p9444y8r77xtmswxm9qqw90nrpufkx47 Bitcoin\r\nbc1qqvpjgaurtnhc8smkmdtwhx9c8207m0prsyxyjx Bitcoin\r\nbc1qfcl8a4ck7uu3phgg5fj6g9servp6f85j3frcd3 Bitcoin\r\nbc1qqydp9muxtnxyet3ryfqc467wjtm23f0r7eh5aa Bitcoin\r\nbc1qe4n22sduyylws74aewc6y6g32nglvglqu7hted Bitcoin\r\nbc1qy0ggpxu8f6lta6vf44vervr4py2uu829grj8yh Bitcoin\r\nbc1q32dzmf4t5a3xxvyxn07scgpmjznnz3kwjhw8uc Bitcoin\r\nbc1qkrkxgvp2te3xhgn74c2azt4flf9u05y56kh3a9 Bitcoin\r\nbc1q6w7qlaj3mfkgfrxwtvhw45cu86wew7xpjfqcmy Bitcoin\r\nbc1qc593a4d2hznk2ext3k2zmpdrqazlhhh80m4xas Bitcoin\r\nbc1qtnuzecpqaakj0dt855n24dv7u5pme7vyct2cf2 Bitcoin\r\nbc1qvjpgxa2g3nvyw2hnclptextllu9dr4vkew8jfp Bitcoin\r\nbc1qg0qygyv3qfp8cjyy99ch9vc9dp876vl8wys67u Bitcoin\r\nThese same DPRK actors are also responsible for several other high-profile international virtual currency heists.\r\nIn 2023 alone, DPRK cyber actors have stolen more than $200 million. This amount includes, but is not limited to,\r\napproximately $60 million of virtual currency from Alphapo and CoinsPaid on or about July 22, 2023, and\r\napproximately $100 million of virtual currency from Atomic Wallet on or about June 2, 2023.  \r\nThe FBI previously provided information to the public regarding the DPRK’s attacks against Harmony’s Horizon\r\nbridge and Sky Mavis’ Ronin Bridge and put out a cybersecurity advisory on TraderTraitor. In addition, the U.S.\r\nDepartment of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Lazarus Group in 2019. \r\nPrivate sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor\r\nand examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant\r\nin guarding against transactions directly with, or derived from, those addresses.  \r\nhttps://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom\r\nPage 2 of 3\n\nThe FBI will continue to expose and combat the DPRK’s use of illicit activities to generate revenue for the\r\nregime, including cybercrime and virtual currency theft. If you have any information to provide, please\r\ncontact your local FBI field office or the FBI’s Internet Crime Complaint Center at ic3.gov. \r\nSource: https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakeco\r\nm\r\nhttps://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom" ], "report_names": [ "fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434073, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/245479f590681a637f06bc4c586771a45092cfec.pdf", "text": "https://archive.orkl.eu/245479f590681a637f06bc4c586771a45092cfec.txt", "img": "https://archive.orkl.eu/245479f590681a637f06bc4c586771a45092cfec.jpg" } }