In 2024, a total of $2.2 billion was stolen in crypto hacks, and alleged hackers from the North Korea were responsible for stealing approximately 35% of all cryptocurrency taken globally, amounting to nearly $800 million. As per the latest 2025 Crypto Crime report prepared by TRM, the hackers’ conglomerate from North Korea are now deploying advanced technologies to scoop out crypto funds.
The report by TRM further states that the attacks by North Korean hackers were significantly larger than those of other groups of hackers, averaging five times the size, which indicates a focus on major heists seen in the crypto world in 2024.
Many have pointed fingers towards an infamous Lazarus Group- a collective of hackers originating from the rogue kingdom of North Korea. The group remains elusive, their modus operandi remains same over the years but their technique and infrastructure keep rapidly evolving thanks to technological advancements.
Also Read: From Bybit to WazirX, is Lazarus Group the Bogeyman of Crypto?
An unknown number of individuals make up this hackers’ group. It has been alleged that the group is supported by the dictator Kim Jong Un and is adept with latest technologies like supercomputing, artificial intelligence (AI), quantum computing, and machine learning tools to do hacks.
The North Korean hackers have employed these cutting-edge technologies to evade identification by other nations despite efforts from FBI and other law enforcement agencies.
Top 5 Hacks in Crypto in 2024 by North Korean Hackers
In 2024, the top 5 hacks were done by North Korea, including DMM Bitcoin Exchange Hack, WazirX Hack, Orbit Bridge Exploit, Munchables exploit, the BtcTurk exploit, and in 2025, they also did the Bybit hack.
1. DMM Bitcoin Exchange Hack
In May 2024, hackers stole $308 million in cryptocurrency from DMM Bitcoin, a Tokyo-based crypto exchange. After a seven-month investigation, Japanese authorities and the FBI determined that the North Korean hacking group Lazarus was behind the attack.
The hackers targeted an executive at Ginco, DMM’s custody partner, who had access to the wallet management system. By stealing the executive’s login details, the hackers were able to transfer millions of dollars in crypto from DMM’s exchange to their wallet, escaping with over $300 million in digital assets.
Impact of Hack
As a result, DMM decided to close down in December 2024. To take care of its customers, DMM transferred all its assets and customer accounts to SBI VC Trade, a company owned by the Japanese financial group SBI.
2. WazirX Hack
In June 2024, WazirX, India’s biggest crypto exchange by trading volume, was hacked, and $235 million was stolen. In that hack, various cryptocurrencies were stolen from a single cold wallet. The hackers were the same North Korean group, Lazarus, who also attacked DMM Bitcoin the previous month.
Investigations are still ongoing, but early findings suggest the hackers used a similar method as in the DMM hack, likely stealing the keys to the cold wallet and then emptying it. WazirX’s custody partner, Laminal, claims their systems were not breached, while WazirX insists the hack happened at Laminal’s end, not theirs.
Impact of Hack
Ever since the hack against WazirX on July 18, 2024, the exchange has suspended all operations for the past 10 months and withheld the remaining 55% of user funds. Now, WazirX is moving towards a restructuring scheme, after which users are promised that they will receive at least 85% of their portfolio value (as it was before the July 18 hack), and WazirX will resume trading once again in May–June 2025.
Also Read: Rise and Fall of WazirX: Mapping India’s Biggest Crypto Hack
3. Orbit Bridge Hack
On December 31, 2023, Orbit Bridge Chain, a decentralized finance platform, was hacked, losing $100 million in cryptocurrencies (ETH and DAI). The hacker took advantage of a flaw in the platform’s smart contract. After staying quiet for five months, the hacker began moving the stolen funds in June 2024, laundering $47.7 million worth of ETH through Tornado Cash, a tool that hides transaction trails.
The hacker’s wallet still holds $67.3 million in ETH and DAI. While it’s not confirmed who did it, the way the funds are being moved suggests it could be the work of North Korean hackers.
Impact of Hack
The Orbit Bridge exploit disrupted operations, damaged user trust, and exposed critical security flaws, prompting ongoing efforts to enhance protections and recover assets while contributing to broader concerns about DeFi vulnerabilities.
4. Munchables Hack
In March 2024, Munchables, a Web3 game focused on cryptocurrency, was hacked, losing $63 million in assets. The culprits were linked to North Korean hackers who used a clever trick called social engineering. They posed as four different developers, likely the same person, and were hired by Munchables to build its smart contracts.
The hacker created a special type of smart contract called an “upgradeable proxy contract,” which allowed them to secretly control it through a specific address they owned, not Munchables. Using this control, the hacker gave themselves 1 million ETH within the contract.
Impact of hack
The hack disrupted Munchables operations, eroded its users trust, and exposed critical security flaws. While the return of stolen funds mitigated financial losses, the incident spurred significant security overhauls and served as a wake-up call for the Web3 gaming and DeFi sectors to address vulnerabilities and combat sophisticated threats like those posed by North Korean hackers.
5. BTC Turk Hack
In June 2024, BtcTurk, a Turkish cryptocurrency exchange, was hacked, and attackers stole $55 million in crypto assets. The hackers got hold of private keys, which are like secret passwords, allowing them to unlock and empty 10 hot wallets. They then sold the stolen crypto on the market. Fortunately, the stolen assets belonged to BtcTurk, not its customers, so no users lost money. Binance, another exchange, helped BtcTurk investigate and froze $5.3 million of the stolen crypto to prevent further losses.
Impact of Hack
The hack disrupted BTC Turk’s trading, harmed its reputation, and triggered market volatility for certain cryptocurrencies. It also highlighted ongoing security challenges in the crypto industry, prompting BtcTurk to likely enhance its defenses and fueling broader discussions on regulatory and security improvements in Turkey’s booming crypto market.
Who are Lazarus Group hackers from North Korea?
The Lazarus Group is responsible for all these significant hacks. The other nations can’t identify the group because its size is unknown. The group has been involved in many cybercrimes and hacks since the year 2009-10.
In 2014, the Lazarus Group attacked Sony Pictures Entertainment and stole a lot of data, including unreleased movies, employee personal information, and private emails. Later, they gradually leaked this information, causing Sony significant embarrassment.
Further, In February 2016, the Lazarus Group targeted Bangladesh Bank. They tried to steal $951 million, nearly all the money in the bank’s New York Federal Reserve account. They got in by sending a fake email with a job application to bank employees in January 2015. One employee opened the email and downloaded the attached files, which contained malicious software that infected the bank’s systems, allowing the hackers to carry out their attack.
But in February 2021, the FBI and the U.S. Department of Justice unsealed an indictment charging three North Korean individuals, Jon Chang Hyok, Kim Il, and Park Jin Hyok, with being members of the Lazarus Group, a North Korean state-sponsored hacking collective.
The trio allegedly operated under North Korea’s Reconnaissance General Bureau (RGB), with units also known as APT38, and were stationed at times in countries like China and Russia. Park Jin Hyok had been previously charged in a 2018 complaint, and the 2021 indictment expanded the scope of allegations.
What are the methods used by North Korean Hackers?
The Lazarus Group has done the hacks in different ways. The group has implemented different methods and techniques. They have consistently executed hacks using a combination of social engineering and advanced technical methods. Below is a list detailing how this group has executed crypto hacks:
Social Engineering and Phishing
In this method, the group sends emails with fake and misleading information with many attachments or links, pretending it to be trustworthy.
The technique was used in the Bangladesh Bank hack in the year 2016. They often use platforms like LinkedIn to contact targets, offering partnerships and sharing links to gain people’s trust.
Malware Deployment
The group uses this method by putting harmful software on a network to control it or steal information. The group makes fake crypto apps or sneaks malware into real ones to trick users into giving up their login details.
Malware lets them stay hidden, steal sensitive data like crypto keys, or change transactions without anyone noticing.
Targeting centralized and decentralized platforms:
The group has targeted both the centralized and decentralized platforms. In centralized platforms they attacked hot wallets by stealing the private keys to access them or by tricking employees, and in decentralized platforms they first find out the weaknesses in the system that connects blockchain, and then they mess with the codes that run those apps. Both types of platforms have their security flaws, and Lazarus is good at picking the easiest one to attack at any time.
Money laundering techniques:
The group uses this technique for hiding the stolen cryptocurrency. This technique helps them a lot, as it’s difficult to trace them. They use different crypto mixer tools like Tornado Cash or Sinbad to mix the stolen money or even move it into different blockchains. Hence, anyone who is trying to trace money will be confused. They used this method in the Bybit hack in 2025.
Stealing secret codes:
The group uses this method to get the private keys. They trick the people first; they gain their trust by sharing trustworthy emails, and then they ask them to download harmful software. This software steals private keys from wallets like Exodus, Atomic, or MetaMask.
Conclusion: What are law enforcement agencies doing?
The law enforcement agencies worldwide are actively taking action against the crypto hacks by the Lazarus Group. The agency’s efforts involve a combination of investigations, sanctions, international cooperation, and public-private partnerships. The agencies are tracing and seizing stolen money. They use blockchain analysis to track stolen cryptocurrency, which is recorded on public ledgers, making it traceable despite laundering attempts.
The agencies are also issuing sanctions. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned individuals and entities linked to Lazarus to disrupt their financial networks. The agencies have also partnered with different blockchains and crypto exchanges. These partnerships leverage private-sector expertise to trace funds faster, though recovery remains limited due to Lazarus’s laundering speed.
Also Read: Bybit’s Zhou Launches LazarusBounty to Track Crypto Criminals
