{ "id": "ec5f9db5-319c-45bd-98e5-961077eb2f22", "created_at": "2026-04-06T03:36:28.045098Z", "updated_at": "2026-04-10T13:12:29.065586Z", "deleted_at": null, "sha1_hash": "aa163450980d01c0a689119cb34bfbaa7f193bc9", "title": "How the Lazarus Group is stepping up crypto hacks and changing its tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 441058, "plain_text": "How the Lazarus Group is stepping up crypto hacks and changing\r\nits tactics\r\nBy Elliptic Research\r\nArchived: 2026-04-06 02:58:27 UTC\r\nThe Lazarus Group – North Korea’s elite hacking organization – appears to have recently ramped up its\r\noperations, conducting a confirmed four attacks against crypto entities since June 3rd.\r\nNow, they are suspected of carrying out a fifth attack, this time targeting the crypto exchange CoinEx on\r\nSeptember 12th.  In response to this, the company has released several tweets indicating that suspicious wallet\r\naddresses are still being identified, and therefore the total value of stolen funds is not yet known, however it is\r\ncurrently believed to be around $54 million. \r\nIn the past 104 days, Lazarus has already been identified as responsible for stealing almost $240 million in\r\ncryptoassets from Atomic Wallet ($100 million) CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com\r\n($41 million). \r\nhttps://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics\r\nPage 1 of 4\n\nAs seen in the chart above, Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an\r\naddress which was used by the Lazarus Group to launder funds stolen from Stake.com, albeit on a different\r\nblockchain. Following this, the funds were bridged to Ethereum, using a bridge previously used by Lazarus, and\r\nthen sent back to an address known to be controlled by the CoinEx hacker.\r\nElliptic has observed this mixing of funds from separate hacks before from Lazarus, most recently when crypto\r\nwas stolen from Stake.com overlapped with funds stolen from Atomic Wallet. These instances in which funds\r\nfrom different hacks have been consolidated are represented in the chart below in orange. \r\nIn light of this blockchain activity, and in the absence of information suggesting the CoinEx hack was conducted\r\nby any other threat group, Elliptic agrees that Lazarus Group should be suspected for the theft of funds from\r\nCoinEx.\r\nFive Lazarus attacks in 104 days\r\nIn 2022, several high profile hacks were attributed to Lazarus, including the hacks of Harmony’s Horizon Bridge,\r\nand Axie Infinity’s Ronin Bridge, both of which occurred within the first half of last year. Between then and June\r\nof this year, no major crypto heists were publicly attributed to Lazarus. As a result, the various hacks of the last\r\n104 days represent a step up in activity for the North Korean threat group.\r\nOn June 3rd 2023, users of Atomic Wallet – a non-custodial decentralized cryptocurrency wallet – lost over\r\n$100 million. Elliptic attributed this hack to Lazarus on June 6th 2023, after identifying multiple factors\r\nindicating that the North Korean threat group was responsible. This attribution was later confirmed by the\r\nFBI.\r\n  \r\nOn July 22nd 2023, Lazarus gained access to hot wallets belonging to crypto payment platform CoinsPaid\r\nvia a successful social engineering attack. This access allowed the attackers to create authorized requests to\r\nwithdraw approximately $37.3 million in crypto assets from the platform’s hot wallets. On July 26th,\r\nCoinsPaid published a report claiming Lazarus was responsible for this attack. This attribution was later\r\nhttps://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics\r\nPage 2 of 4\n\nconfirmed by the Federal Bureau of Investigation (FBI).\r\n  \r\nOn the same day, July 22nd, Lazarus conducted another high-profile attack, this time against centralized\r\ncrypto payment provider Alphapo, stealing $60 million in cryptoassets. The attackers may have gained\r\naccess through previously compromised private keys. As above, the FBI later attributed this attack to\r\nLazarus. \r\nOn September 4th 2023, online crypto casino Stake.com suffered an attack in which approximately $41\r\nmillion in virtual currency was stolen, possibly as a result of a stolen private key. The FBI issued a press\r\nrelease on September 6th confirming that the Lazarus Group was behind this attack. \r\nFinally, on September 12th 2023, centralized crypto exchange CoinEx was the victim of a hack, in which\r\n$54 million was stolen. As detailed above, a number of factors indicate that Lazarus is responsible for this\r\nattack. \r\nAn analysis of Lazarus’ latest activity suggests that since last year, it has shifted its focus from decentralized\r\nservices to centralized ones. Four of the five recent hacks discussed previously are of centralized virtual asset\r\nservice providers (VASPs). Centralized exchanges were previously Lazarus’ target of choice prior to 2020, before\r\nthe rapid rise of the decentralized finance (DeFi) ecosystem.\r\nThere are a number of possible explanations for why Lazarus’ attention may have once again shifted back to\r\ncentralized services.\r\nIncreased focus on security\r\nElliptic’s previous research into DeFi hacks of 2022 found that one exploit occurred every four days, each stealing\r\nan average of $32.6 million.\r\nCross-chain bridges – which were a relatively new form of service in early 2022 – become some of the most\r\nfrequently-hacked types of DeFi protocol. These trends have likely prompted improvements in smart contract\r\nauditing and development standards, thus reducing the scope for hackers to identify and exploit vulnerabilities.\r\nSusceptibility to social engineering\r\nFor many of its hacks, the Lazarus Group’s attack methodology of choice is social engineering. The $540 million\r\nhack of Ronin Bridge, for example, was attributed to a fake LinkedIn job offer.\r\nNevertheless, decentralized services often boast small workforces and – as the name suggests – are to varied\r\nextents decentralized. Hence, gaining malicious access to a developer may not necessarily equate to getting\r\nadministrative access to a smart contract. \r\nCentralized exchanges, meanwhile, will likely operate bigger workforces, thus widening the scope of possible\r\ntargets. They are also likely to operate using centralized internal information technology systems, allowing\r\nLazarus malware a greater chance to penetrate the intended functions of their business.\r\nElliptic will continue to monitor these incidents and update our system with new information on stolen funds.\r\nhttps://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics\r\nPage 3 of 4\n\nSource: https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics\r\nhttps://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics" ], "report_names": [ "how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446588, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa163450980d01c0a689119cb34bfbaa7f193bc9.pdf", "text": "https://archive.orkl.eu/aa163450980d01c0a689119cb34bfbaa7f193bc9.txt", "img": "https://archive.orkl.eu/aa163450980d01c0a689119cb34bfbaa7f193bc9.jpg" } }