Last week, the crypto exchange Bybit suffered one of the most severe hacks in internet history, resulting in the loss of $1.5 billion in Ethereum (ETH). Blockchain experts identified the hacker group Lazarus as the perpetrators. Who are they?
The Lazarus Group, also known as Guardians of Peace or Whois Team, is a cyber-espionage and hacking group believed to be operated by the North Korean government. Founded in 2007, Lazarus has been linked to numerous high-profile cyberattacks, including the 2014 Sony Pictures hack and the 2016 digital heist of Bangladesh's central bank. In recent years, their name has also surfaced in connection with high-profile attacks on crypto protocols. Bybit was not their first victim.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
Lazarus Group behind numerous multi-million-dollar hacks
There is little official information available about the hacker group, leaving its exact leadership largely unknown. However, it is widely believed that Lazarus operates under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. Reports suggest that within the RGB, the group falls under the 110th Research Center, also known as the 3rd Bureau, which is responsible for cyber operations.
The Lazarus Group primarily funds itself through cybercrime, including financial theft and cyber espionage. Attacks on crypto projects such as Bybit, FTX, Mt. Gox, the Ronin Network, and Wormhole have netted Lazarus over $5 billion in recent years. For comparison, North Korea’s nominal Gross Domestic Product (GDP) was estimated at $23.7 billion in 2023. The $5 billion stolen by Lazarus equates to over 21% of the country’s GDP.
These illicit activities generate revenue that is believed to support North Korea’s nuclear and missile programs, as well as other state interests. The group's operations feature sophisticated cyber techniques, including spear-phishing, malware distribution, and the exploitation of zero-day vulnerabilities.
North Korea’s strategic cyber unit
The name “Lazarus Group” is derived from the biblical figure Lazarus, symbolizing the group’s ability to re-emerge after being disrupted or neutralized. Despite identification, international sanctions, and law enforcement efforts, the group continuously adapts, evolves, and resurfaces, making it one of the most persistent and resilient cybercriminal organizations.
Despite its relative underdevelopment in many areas, North Korea has prioritized cyber capabilities as a means to circumvent international sanctions and generate revenue. The country’s leadership under Kim Jong-un has invested in developing cyber warfare capabilities, recognizing them as a relatively low-cost way to exert power and undermine adversaries. This includes attacks on financial institutions, cryptocurrency exchanges, and government infrastructures worldwide.
Regarding international alliances, North Korea maintains only limited formal relations with other states. However, in the past, it has received various forms of support or tacit approval from countries with aligned geopolitical interests, such as Russia, China, or Iran. Nevertheless, despite speculation, no concrete evidence links other governments directly to the activities of the Lazarus Group.
