Every time a major crypto exchange, bridge, or DeFi protocol is drained of millions, the PR playbook is almost depressingly predictable. Within 48 hours, a somber X thread appears: “We were targeted by a highly sophisticated, state-sponsored cyberattack.” The unspoken translation? “It was the Lazarus Group.”
For years, blaming North Korea has quietly become the ultimate “get out of jail free” card in crypto. Admitting that an intern left private keys in a public GitHub repo is a career-ending humiliation. Getting outsmarted by a military-grade cyber army, however, buys sympathy, time, and cover with investors.
So which is it? Is Lazarus actually behind most of the billion-dollar heists the industry has suffered, or has the name become a convenient scapegoat for an industry that still cannot keep its own house in order?
After reviewing FBI and DOJ indictments, the 2026 Chainalysis Crypto Crime Report, Elliptic and TRM Labs forensics, victim post-mortems from LayerZero and Drift, and on-chain data, the conclusion is sharper than most think. Lazarus is real. Lazarus is North Korean. And Lazarus is responsible for a significant share of the largest heists in crypto history. Just not all of them.
Who actually is the Lazarus Group?
Lazarus (also tracked as APT38, TraderTraitor, and UNC4736) is not a loose collective of hackers. It is a highly organized, state-sponsored group operating under North Korea’s Reconnaissance General Bureau, with ties to a unit known as Bureau 121.
The group gained global attention with the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak. Around 2018, it shifted focus toward cryptocurrency. The reasoning wasn’t subtle. North Korea faces heavy international sanctions, and crypto offers something traditional finance no longer could: a borderless, hard-to-freeze way to move billions of dollars into a regime whose nuclear and ballistic missile programs need constant funding.
U.S. indictments, malware analysis, IP tracing, and intelligence reports link Lazarus to Pyongyang. North Korea denies involvement, but the blockchain evidence points consistently in the same direction.
The Scoreboard: $7.3 billion and counting
The group’s financial footprint is substantial.
According to Chainalysis’s 2026 data, DPRK-linked actors stole $2.02 billion in 2025 alone, a 51% jump year-over-year, accounting for roughly 76% of all service-related crypto thefts during that period. This pushed their cumulative total to $6.75 billion by the end of last year.
Then April 2026 happened. The KelpDAO breach and the Drift Protocol exploit added roughly $575 million within 17 days. The total now exceeds $7.3 billion, making Lazarus one of the most prolific cyber-theft operations on record.
A clear trend has emerged: fewer attacks, but significantly higher value per incident.
The big heists: A verified table
Here’s a breakdown of major crypto thefts tied to Lazarus, cross-checked against FBI and DOJ statements, Chainalysis, Elliptic, and TRM Labs forensics, victim post-mortems, and primary blockchain analysis.
| Rank | Target | Date | Amount | Method |
| 1 | Bybit Exchange | Feb 2025 | $1.5B | Safe{Wallet} supply chain compromise and social engineering |
| 2 | Ronin Bridge (Axie Infinity) | Mar 2022 | $620 to $625M | Validator key theft via fake-job spear phishing |
| 3 | DMM Bitcoin | May 2024 | ~$308M | Hot wallet compromise |
| 4 | KelpDAO (rsETH) | Apr 18, 2026 | $290 to $292M | RPC node poisoning and DDoS on LayerZero DVNs |
| 5 | Drift Protocol | Apr 1, 2026 | $285M | Six-month social engineering of Security Council multisig |
| 6 | KuCoin Exchange | Sep 2020 | ~$275M | Hot wallet breach |
| 7 | WazirX | Jul 2024 | ~$235M | Wallet compromise |
| 8 | Harmony Horizon Bridge | Jun 2022 | $100M | Private key theft |
| 9 | Atomic Wallet | Jun 2023 | ~$100M | Malware and supply chain attack |
| 10 | Alphapo | Jul 2023 | $60M | Payment platform breach |
Smaller incidents, like the Stake.com breach ($41M in 2023) and the Upbit hit ($36 to $37M in 2025), show similar patterns but fall outside the top ten. Worth noting that the Poly Network hack ($600M in August 2021) is sometimes grouped with Lazarus activity in broader media coverage, though its attribution remains less conclusive than the cases above.
One signature runs through virtually every confirmed entry on this list, and almost nobody in crypto media has connected the dots publicly: the 45-day laundering playbook. Clustered wallet movements, mixer rotations, and small-tranche off-ramps through Asian OTC networks. It’s a fingerprint, and it shows up on heist after heist.
Why “Lazarus = every hack” feels overblown
Not all crypto exploits are linked to Lazarus. Many smaller incidents are carried out by independent actors. Attribution is complex, and false flags are possible. However, major attributions typically rely on multiple data points, including blockchain analysis, malware signatures, and intelligence sources.
The April 2026 incidents involving Drift Protocol and KelpDAO, supported by forensic analysis and project disclosures, strongly align with known Lazarus tactics.
How investigators attribute attacks to Lazarus
So how do forensic analysts separate real Lazarus work from convenient finger-pointing? It comes down to TTPs. Tactics, techniques, and procedures. Digital fingerprints rather than guesswork.
Malware signatures: Lazarus reuses custom-built malware across campaigns. AppleJeus, the famous fake crypto-trading application from earlier years, is one well-documented example. Code reuse across operations becomes its own form of evidence.
Highly specific laundering behavior: The group doesn’t just move stolen funds. It moves them in patterns that repeat. Historically, they routed hundreds of millions through Tornado Cash. Once Tornado was sanctioned, they systematically pivoted to privacy protocols like Railgun and began routing more volume through Bitcoin and specific Asian OTC brokers. This evolution is itself traceable, and it shows continuity of operators rather than imitators.
The embedded employee tactic: This one is genuinely unsettling. In recent years, Lazarus has increasingly skipped the complex exploit entirely and just gotten hired. Fake identities, fake resumes, and fake credentials get planted inside DeFi teams and crypto service providers as remote IT workers. Then they wait, gain internal access, and drain from the inside. Several 2024 and 2025 incidents have exposed this playbook explicitly.
Infrastructure overlap: Shared IP ranges, shared hosting providers, shared wallet clustering patterns, shared bridge pathways. The forensic case is rarely based on any single data point. It’s always multi-vector.
No major Lazarus attribution has been credibly debunked in years. This is worth sitting with for a moment.
The limits of the scapegoat theory
Here’s where the nuance matters. Lazarus is absolutely real, but they aren’t omnipresent. Plenty of platforms quietly use “nation-state actor” framing to shield themselves from harder conversations.
The incentive structures are obvious once you look at them:
Deflecting investor panic: A nation-state attack sounds like an unforeseeable act of war. This framing softens the blow for furious investors and venture backers far more than “we got phished.”
Masking inside jobs: In an unregulated environment, exit scams and insider threats happen more often than anyone wants to admit. Blaming North Korea is a tidy way to cover that up when the dust settles.
Hiding basic incompetence: Many hacks still happen through phishing emails or sloppy multisig management. “An employee clicked a fake recruiter link” is a hard line to include in a Series B announcement.
Do the math. Of the roughly $3.4 billion stolen across the crypto industry in 2025, about $1.38 billion was stolen by non-DPRK actors. Script kiddies, Russian syndicates, Chinese money-laundering networks, disgruntled insiders, and plain old opportunistic criminals. So when a protocol reflexively blames Lazarus for every incident, the statistics simply don’t back it up.
The correct posture is somewhere in the middle. Lazarus dominates the nine and ten-figure heists. They don’t dominate the small-wallet drains, the random oracle exploits, the insider rug pulls, or the code-logic bugs that make up the majority of DeFi’s incident count. Those belong to independents, opportunists, and in some cases, the teams themselves.
April 2026: Two textbook Lazarus attacks
The two April mega-hits are almost perfect case studies of how Lazarus operates in 2026.
Drift Protocol was drained of $285 million on April 1 following a six-month social engineering campaign targeting its Security Council. There was no code exploit or smart contract vulnerability—just a patient, coordinated operation that compromised individuals with administrative access. Elliptic, TRM Labs, and Chainalysis independently identified DPRK-linked indicators within days.
KelpDAO was exploited on April 18 for another $290–$292 million through an attack on LayerZero’s Decentralized Verifier Networks. The exploit combined RPC node poisoning with DDoS pressure on the DVNs, enabling forged cross-chain messages to drain rsETH. LayerZero attributed the attack to TraderTraitor, a known Lazarus subgroup.
Both attacks highlight what the group has evolved into. It has moved past pure code exploitation into operational warfare. Human weak points, infrastructure manipulation, and patient multi-month campaigns. This is a completely different threat profile from what the DeFi industry was built to defend against.
What it means going forward
North Korea treats crypto as an industrial-scale revenue stream for a sanctioned regime. This framing matters because it means Lazarus is not slowing down. If anything, the April 2026 escalation suggests the opposite.
For protocols, the defensive playbook has to shift. Multi-DVN verification. Hardware-isolated multisig setups. Mandatory social engineering drills for anyone with admin access. Red-team simulations that assume a state actor is already inside the building, because increasingly they are. Ignoring warning signs on fake recruiters or suspicious internal PRs has now cost the industry more than $575 million in a single month.
For users, the advice is blunter. Hardware wallets are not optional anymore. Every approval needs to be verified. Every job offer in the crypto space deserves a second look, especially for developers with access to production keys.
For the industry, the recovery side is improving slightly. Faster analytics, faster sanctions, faster bounty coordination, and growing public pressure from on-chain investigators are occasionally clawing funds back. But speed is everything, and most protocols still respond to Lazarus hits like they’re responding to a conventional DeFi exploit. This gap is where billions are still bleeding.
Bottom line
The Lazarus Group is neither a myth nor a universal excuse. It’s a documented, prolific, state-backed cyber army responsible for dozens of confirmed major crypto thefts and a verified trail of more than $7.3 billion. The table above, the April 2026 attacks, and the consistent laundering patterns remove most of the reasonable doubt.
But the next time a crypto platform gets drained and immediately points the finger at North Korea, demand the forensic proof. Look for statements independently verified by Chainalysis, Elliptic, or TRM Labs. Look for FBI or DOJ confirmation. If those aren’t in the post-mortem, the attribution probably isn’t earning its press release.
North Korea makes a perfect villain. But sloppy code, reckless operational security, and the occasional inside job are still the crypto industry’s real everyday enemies. Recognizing both realities at once is the only honest way forward.
Data cross-verified against the 2026 Chainalysis Crypto Crime Report, FBI and DOJ releases, LayerZero and Drift Protocol statements, Elliptic and TRM Labs forensics, and primary blockchain sources. All figures current as of April 21, 2026.
Also Read: KelpDAO’s Vulnerability Was Flagged 15 Months Ago — DeFi Failed to Act
