North Korean Crypto Attacks Rising in Sophistication, Actors — Paradigm

North Korea's cyberwarfare attacks on the cryptocurrency industry have become increasingly sophisticated and widespread, with crypto firm Paradigm warning that the threats are becoming more complex and brazen.

The report, titled "Demystifying the North Korean Threat," reveals that North Korean-originated cyberattacks range from social engineering attempts to complex supply chain hijacks, phishing attacks, and assaults on exchanges. In some cases, these attacks can take a year to play out, with North Korean operatives biding their time before striking.

The United Nations estimates that between 2017 and 2023, North Korean hackers have netted the country a staggering $3 billion. However, this figure has skyrocketed in 2024 and this year, with successful attacks against crypto exchanges WazirX and Bybit resulting in attackers netting around $1.7 billion.

Paradigm identifies at least five North Korean organizations orchestrating these attacks: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. There is also a coalition of North Korean operatives who pose as IT workers, infiltrating tech companies around the world.

The most well-known North Korean hacking team, Lazarus Group, has been credited with some of the most high-profile cyberattacks since 2016. The group hacked Sony and the Bank of Bangladesh in 2016 and helped orchestrate the WannaCry 2.0 ransomware attack in 2017.

Lazarus Group has also taken aim at the cryptocurrency industry, sometimes to great effect. In 2017, the group hit two crypto exchanges — Youbit and Bithumb. In 2022, it exploited the Ronin Bridge, resulting in hundreds of millions in lost assets. And in 2025, it infamously stole $1.5 billion from Bybit, sending shock throughout the crypto community.

The group's money laundering methods are also predictable and have been studied by experts. After securing a haul, Lazarus Group breaks up the stolen amount into smaller pieces, sending them to countless other wallets. It then swaps the more illiquid coins for those with higher liquidity and converts much of it to Bitcoin (BTC). The group may sit on the stolen money for a long period of time until the attention from law enforcement dies down.

The FBI has identified three alleged members of the Lazarus Group, accusing them of cybercrimes. In February 2021, the US Justice Department indicted two of those members for involvement in global cybercrimes.