Lazarus Group stole $240m of crypto in 104 days, report claims

18 Sep 2023

Image: © stockcrafter/

A report from Elliptic suggests the notorious hacker group is ramping up its operations and changing tactics this year, focusing more on centralised services.

The North Korean hacker group Lazarus has stepped up its activity recently, stealing an estimated $240m in crypto assets in less than four months.

That’s according to a new report by blockchain analytics company Elliptic, which claims the hacking group is behind five recent thefts in the global crypto sector. The FBI have so far confirmed that Lazarus is behind four of these five cyberattacks.

The new wave of attacks began in June, when a decentralised cryptocurrency wallet known as Atomic Wallet lost more than $100m. Since then, the Lazarus Group has been connected to thefts on crypto payment platform CoinsPaid, crypto payment provider Alphapo and cryptocurrency casino

The latest attack occurred on 12 September, where an estimated $54m was stolen from centralised crypto exchange CoinEx. Elliptic said a number of factors indicate that Lazarus is also responsible for this attack.

Elliptic describes this organisation as an “elite North Korean hacking group”. The Lazarus Group was blamed for the notorious WannaCry cyberattack in 2017, which was unprecedented in scale at the time and wreaked havoc around the globe. This group is also believed to be behind the infamous hack of Sony Pictures Entertainment in 2014.

This group was also linked to some high-profile attacks last year, including the massive theft of gaming-focused blockchain network Ronin, in which roughly $625m was stolen. After a relatively quiet period, Elliptic’s report suggests the hacker group may be changing its tactics.

“An analysis of Lazarus’ latest activity suggests that since last year, they have shifted their focus from decentralised services to centralised ones,” Elliptic said. “Four of the five recent hacks discussed previously are of centralised virtual asset service providers.”

The report suggests this change in tactics may be due to an increased security focus among decentralised services and the fact Lazarus uses social engineering as one of its primary forms of attack, which are more effective against centralised entities.

“Centralised exchanges, meanwhile, will likely operate bigger workforces, thus widening the scope of possible targets,” Elliptic said. “They are also likely to operate using centralised internal information technology systems, allowing Lazarus malware a greater chance to penetrate the intended functions of their business.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic