Introduction
Lazarus Group, a North Korean state-sponsored hacking unit, has rewritten the rulebook on cybercrime in crypto. Since 2017, they’ve stolen over $6 billion in digital assets across a series of high-profile exchange, wallet, and DeFi bridge hacks. This timeline breaks down how Lazarus evolved, where they struck, and what it means for global crypto security.
2017–2018: Early Exchange Hacks
- Feb 2017 - Bithumb (South Korea): Bithumb experienced account intrusions that led to losses in BTC and ETH. Investigations pointed to phishing and credential theft as the initial foothold. At this stage Lazarus-style actors exploited human weaknesses — forged emails and compromised employee workstations — to get access to exchange backends and hot wallets.
- Dec 2017 - NiceHash (Slovenia): NiceHash lost approximately 4,500 BTC after attackers stole private keys from an online wallet. The attack highlighted weak operational separation between hot wallets and business systems: once attackers gained access to credentials or private keys on an exposed system, they were able to drain funds quickly.
- Jan 2018 - Coincheck (Japan): Coincheck’s $530M NEM theft was largely a hot-wallet compromise. Attackers moved funds out of a wallet that, crucially, lacked multi-signature protections. The incident emphasized the necessity of cold storage and strong key management for custodians.
2019–2020: Bigger Targets, Larger Sums
- Nov 2019 - Upbit (South Korea): The Upbit breach involved the theft of hundreds of thousands of ether. Forensic work suggested an insider or credential compromise allowed the attackers to access withdrawal systems. Lazarus-style groups began combining earlier phishing techniques with more targeted reconnaissance of exchange infrastructure.
- Sept 2020 - KuCoin (Singapore): KuCoin’s $275M loss showed improved post-attack laundering: attackers immediately used DEXs, cross-chain swaps and mixers to commingle funds. KuCoin later suggested that attackers had obtained private keys from third-party hot wallets, then rapidly moved assets through many chains, a pattern the group would repeat as they chased larger hauls.
2022: Lazarus Turns to DeFi
- Mar 2022 - Ronin Bridge (Axie Infinity): The Ronin attack was a turning point. Rather than simply stealing from hot wallets, attackers gained control of validator nodes and used forged signatures to approve a withdrawal of roughly $620M. The attackers used social engineering to compromise private keys for validators and then signed fabricated transactions — an attack that exposed the fragility of trust assumptions in some bridge models.
- Jun 2022 - Harmony’s Horizon Bridge: Harmony’s bridge was drained of about $100M after attackers obtained private keys linked to the bridge’s multisig. The incident again demonstrated how decentralized-looking systems can still be undermined if key management is centralized or if validators are compromised.
2023: Wallets and Payment Platforms in Crosshairs
- Jun 2023 - Atomic Wallet: Around $100M in user funds were siphoned from Atomic Wallet users. Evidence pointed to maliciously modified desktop wallet installers and clipboard hijacking malware that altered destination addresses during copy-paste actions. This attack highlights supply-chain risk and the danger users face when installing unverified binaries.
- Jul 2023 - CoinsPaid and Alphapo: These incidents involved targeted compromises of payments infrastructure and withdrawal systems. Investigations suggested a combination of social engineering (fake job offers, trojanized software) and stolen credentials as the root cause; criminals used remote access and deployed tools to extract private keys and execute withdrawals.
- Sept 2023 - Stake.com: The $41M loss at Stake.com was likely the result of key theft or exploitation of weakly protected signing infrastructure. Attackers moved funds through several chains and mixed them to obfuscate provenance, showing solid operational tradecraft.
2024–2025: Billion-Dollar Hacks & Fallout
- Jul 2024 - WazirX (India): WazirX lost about $235M in a breach that combined smart contract exploitation and compromised multisig approvals. In these later attacks Lazarus-style actors are not only stealing from custodial hot wallets but also manipulating signing logic and exploiting weaknesses in contract authorization flows.
- Feb 2025 - Bybit (UAE): The Bybit incident (reported figures in the hundreds of thousands of ETH, with public estimates running into the billions of dollars) represented the largest single subterranean heist in the sector to that date. Attackers reportedly gained access to custody platforms and executed large withdrawals, using fast cross-chain swaps and numerous intermediaries to obfuscate the movement. The scale and speed of the cashout indicate a matured laundering pipeline and deep reconnaissance of exchange operations prior to exploitation.
Lazarus Group’s Hacking Tactics
- Social Engineering: Fake recruiters and job offers on LinkedIn or email.
- Malware: Trojanized crypto apps and clipboard hijackers.
- Credential & Key Theft: From exchanges, wallet providers, and bridge validators.
- Money Laundering: Tornado Cash, Sinbad.io, DEXs, and TRON-based token swaps.
Impact & Global Response
- Total Stolen: Over $6 billion in crypto assets.
- Regions Hit: Japan, South Korea, India, UAE, USA, Hong Kong.
- Government Response: US Treasury sanctions, FBI investigations, and blacklisting of wallets and mixers.
Conclusion
Lazarus Group isn’t just a hacker syndicate they’re a geopolitical cyber weapon. Their evolving playbook now includes DeFi, NFTs, and payment gateways. The global crypto industry is catching up, but the stakes are rising. This timeline shows exactly how they did it and why they’re still the biggest threat in the crypto world today.
