Lazarus Group (APT38 / Hidden Cobra): Threat Actor Profile
Lazarus Group is North Korea's most consequential cyber program — part espionage service, part crypto-theft machine responsible for the $1.5B Bybit hack and billions more in stolen funds. A full threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Lazarus Group is North Korea's flagship cyber program and the most financially successful state-sponsored threat actor in history. It operates as espionage service, sanctions-evasion machine, and disruptive operator all at once. Its public record spans the 2014 Sony Pictures hack, SWIFT-linked bank thefts, the 2017 WannaCry outbreak, and an escalating wave of cryptocurrency heists.
Lazarus Group: at a glance
- Aliases: Hidden Cobra, ZINC, Diamond Sleet, TraderTraitor, APT38, BlueNoroff, Labyrinth Chollima, Guardians of Peace, NICKEL ACADEMY
- Country / affiliation: North Korea — DPRK Reconnaissance General Bureau and affiliated apparatus
- Assessed status (as of July 2026): Active
- Primary objectives: Sanctions evasion, cash generation for the regime, strategic technology theft, espionage, and disruptive retaliation
- Financial destruction / gain: $1.5B stolen in the February 2025 Bybit hack; DPRK-linked actors also stole $1.34B in 2024, so public 2024–2025 crypto-theft tallies alone exceed $2.8B
- Type: Nation-state APT (state-sponsored financial theft + espionage)
Who is Lazarus Group?
The FBI attributed the February 2025 theft of approximately $1.5 billion from the Bybit exchange to DPRK actors operating under the TraderTraitor cluster, while blockchain-analytics firm Chainalysis attributed $1.34 billion in 2024 crypto theft to DPRK-linked groups. As of 2026, Lazarus is unquestionably active and remains the top crypto-theft threat worldwide.
Aliases and attribution
Lazarus is an umbrella spanning several sub-clusters: APT38 handles financial operations, BlueNoroff targets crypto and banks, and TraderTraitor runs social-engineering campaigns against traders and developers. Vendors track it as Hidden Cobra (US-CERT), ZINC/Diamond Sleet (Microsoft), and Labyrinth Chollima (CrowdStrike). Attribution rests on the DPRK Reconnaissance General Bureau, confirmed in the FBI's Bybit attribution.
Financial impact and damage
No other government-run operation has stolen as much. The $1.5B Bybit theft is the single largest crypto heist ever recorded; combined with $1.34B in 2024, DPRK-linked theft over 2024–2025 alone exceeds $2.8B, and all-time totals attributed to the regime run to roughly $6–7 billion. These funds are widely assessed to finance North Korea's weapons programs, making Lazarus a national-security threat, not just a financial one.
Lazarus Group timeline
- 2014: Sony Pictures intrusion and destructive leak
- 2016: Bangladesh Bank / SWIFT-related thefts
- 2017: WannaCry ransomware outbreak spreads globally
- 2022: Major bridge and exchange thefts continue (e.g., Ronin)
- 2024: DPRK-linked crypto-theft totals reach $1.34B for the year
- 2025: FBI attributes the $1.5B Bybit theft to DPRK under TraderTraitor
Notable attacks and campaigns
WannaCry (2017) used a leaked NSA exploit to spread ransomware worldwide, crippling the UK's NHS. The Bybit hack (2025) saw DPRK actors quickly disperse stolen funds across many addresses to launder them. BlueNoroff and TraderTraitor increasingly use fake job offers, trojanized trading apps, and supply-chain compromises to reach crypto firms and developers.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1566 — Phishing: Lazarus repeatedly uses spearphishing and trader-targeting lures; TraderTraitor is a recent example. Require hardware-backed MFA, isolate high-risk roles, and block unsigned 'trading' software. See phishing.
- T1195 — Supply Chain Compromise: Lazarus has a long record of software and distribution compromise. Validate signer chains, review package repositories, and monitor update-delivery drift.
- T1071 / T1105 — Web C2 / Tool Transfer: ATT&CK attributes extensive web-based C2 and follow-on malware staging (AppleJeus-family tooling) to Lazarus. Hunt for suspicious HTTPS beacons to low-reputation infrastructure.
Detection and defense against Lazarus Group
Lazarus blends elite social engineering with crypto-specific tradecraft, so defense combines identity hardening with financial-workflow controls:
- Require phishing-resistant, hardware-backed MFA and isolate developer and finance roles.
- Block unsigned 'trading' or 'wallet' software and scrutinize unsolicited job offers and code tests.
- Tighten withdrawal workflows: transaction simulation, out-of-band approval, and anomaly checks on wallet-drain patterns.
- Validate software signer chains and monitor package repositories for tampering.
- Hunt for HTTPS beacons to low-reputation infrastructure and finance apps spawning child processes.
The bottom line
Lazarus Group is the world's most prolific state-sponsored thief — a government cyber program that funds itself, and its regime, by stealing billions in cryptocurrency. See how Lazarus Group ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
Who is the Lazarus Group?
Lazarus Group is North Korea's state-sponsored hacking organization, tied to the Reconnaissance General Bureau. It is also known as Hidden Cobra, APT38, and BlueNoroff, and is responsible for WannaCry and billions in cryptocurrency theft.
How much has the Lazarus Group stolen?
Public estimates attribute roughly $6-7 billion in all-time crypto theft to DPRK-linked hackers. The single largest was the $1.5 billion Bybit hack in February 2025; 2024 thefts added $1.34 billion.
What is the Lazarus Group's motive?
Primarily money and sanctions evasion. North Korea uses Lazarus to generate cash — widely assessed to fund its weapons programs — alongside espionage and occasional disruptive attacks.
Is BlueNoroff part of Lazarus?
Yes. BlueNoroff and APT38 are financial sub-clusters within the broader Lazarus umbrella, focused on banks and cryptocurrency, while TraderTraitor runs social-engineering campaigns against crypto traders and developers.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: