Public reporting by blockchain analytics firms and government agencies indicates that North Korean state-sponsored hackers, often grouped under the label “Lazarus Group,” have been responsible for a very large share of global cryptocurrency theft in recent years. These operations have been associated with multi-hundred-million-dollar exchange and bridge hacks, with several reports estimating total DPRK-linked crypto thefts in the billions of dollars since 2017. These proceeds are widely understood to contribute to North Korea’s sanctioned weapons programs, which is why disrupting these attacks and responding quickly to incidents is a priority for both industry and regulators.
At Crypto Trace Labs, our team includes senior leaders with prior roles at major global exchanges and blockchain companies. We have supported investigations into incidents attributed to North Korean-linked actors and helped victims and institutions understand their options for response, tracing, and potential recovery. This guide provides a high-level overview of how these attacks typically work, what defensive and recovery mechanisms exist, and how organizations can respond in a manner aligned with legal, regulatory, and sanctions obligations.
This article is an informational overview for risk, compliance, and security professionals. It is not a guide for committing cybercrime or evading law enforcement, and nothing in it should be used for any unlawful purpose.
Who Is the Lazarus Group?
“Lazarus Group” is an umbrella term that researchers and government agencies use for several interconnected North Korean cyber units believed to operate under the Reconnaissance General Bureau (RGB), the country’s main foreign intelligence service. Different security vendors and agencies use labels such as APT38, TraderTraitor, Jade Sleet, Hidden Cobra, or Labyrinth Chollima to describe overlapping clusters of activity. While naming conventions differ, the consensus is that these actors operate with state resources and long-term strategic objectives.
Unlike typical financially motivated cybercriminals, these teams are assessed to focus on generating revenue for the North Korean state in the face of extensive international sanctions. Over time, their activity has shifted from more traditional financial targets to cryptocurrency platforms and infrastructure. Digital assets can be stolen and moved globally at high speed, often without direct interaction with traditional banks, which makes crypto a particularly attractive target for a sanctioned regime.
What Are the Notable North Korea-Linked Crypto Attacks?
Public reports show a steady escalation in both scale and sophistication of DPRK-associated cryptocurrency operations. The incidents below represent some of the most widely discussed cases; specific figures and methods are based on public reporting and may evolve as further information emerges.
Bybit Exchange (2025): Reported losses in the high hundreds of millions to over one billion equivalent, attributed to a suspected supply chain or third-party compromise.
Upbit Exchange (2025): Tens of millions in reported losses, with the method not fully disclosed publicly.
Atomic Wallet (2023): Around $100 million stolen through phishing or supply chain compromise affecting individual users.
Ronin Bridge / Axie Infinity (2022): Over $600 million stolen through social engineering of validator operators.
Horizon Bridge (2022): Around $100 million stolen through private key compromise.
KuCoin Exchange (2020): Over $250 million stolen through private key theft.
In one prominent case, attackers reportedly compromised a third-party wallet or infrastructure provider used by an exchange, rather than attacking the exchange directly. By targeting a trusted software supply chain, they were able to introduce malicious changes that caused seemingly routine transactions to route funds to attacker-controlled addresses once signed by legitimate staff. Investigators and project developers have described these intrusions as the product of months of preparation, involving social engineering and careful study of operational processes, rather than quick opportunistic attacks.
How Do North Korean Actors Launder Stolen Funds?
Blockchain analytics firms and law enforcement have publicly described recurring patterns in how North Korean-linked actors attempt to launder stolen cryptocurrency. Understanding these patterns at a high level helps victims, exchanges, and compliance teams identify potential intervention points.
A commonly observed pattern involves several waves over a period of weeks:
Initial Obfuscation (First Days): Immediately after a theft, funds are rapidly split and moved through a variety of addresses, decentralized protocols, and cross-chain bridges. The goal is to create distance between the original theft addresses and later destinations.
Early Integration (Days to Weeks): Stolen assets are converted between different cryptocurrencies and begin to appear at centralized exchanges, lesser-known services, or additional blending mechanisms. Large amounts may be converted from one major asset into another.
Late-Stage Integration (Following Weeks): Funds flow through services and over-the-counter (OTC) brokers in jurisdictions with weaker controls, with the goal of exiting into fiat currency or embedding funds in accounts that are harder to link directly to the original theft.
Analytics and law enforcement reports have highlighted the role of professional money-laundering networks, including brokers operating in certain regional markets, that provide specialized services to sanctioned actors. These intermediaries create both challenges and opportunities for investigators, since they leave additional behavioral and transactional traces on chain.
For more information on how blockchain forensics works, see our technical guide.
Is Recovery Possible After a North Korea-Linked Attack?
Full recovery from a major state-sponsored crypto theft is rare, but partial recovery or disruption is sometimes achievable, especially when action is taken quickly and in coordination with compliant service providers. Several mechanisms have proven important in prior incidents.
Exchange Freezes: Centralized exchanges with strong AML compliance programs can identify and freeze suspicious deposits linked to known or suspected theft addresses, especially when alerted promptly by victims, analytics firms, or law enforcement.
Stablecoin Controls: Certain stablecoin issuers have the technical ability to freeze tokens held at specific addresses, including those linked to sanctioned actors, once they receive appropriate legal or law enforcement requests.
Sanctions Designations: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) and other authorities have designated specific wallet addresses, mixers, exchanges, and individuals linked to DPRK-associated activity. These designations legally restrict transactions with the listed parties by persons under the relevant jurisdictions.
International Coordination: Law enforcement and regulators in multiple countries may issue public alerts listing addresses associated with a specific incident and requesting that service providers block or report related activity.
The common thread across all of these tools is speed. The most realistic window to intercept or freeze funds is often measured in hours to a few days after the theft is detected. Once assets have moved through multiple layers of obfuscation and reached non-cooperative or lightly regulated services, the likelihood of recovery drops sharply.
What Should Institutional Victims Do Immediately?
Organizations that suspect they have been targeted by North Korean-linked or other sophisticated actors should pursue technical, legal, and communications workstreams in parallel. The exact response plan will depend on jurisdiction and regulatory obligations, so these steps should be adapted with the help of qualified advisors.
Technical and Investigative Response:
Document all known transaction hashes, wallet addresses, timestamps, and amounts related to the incident. Engage specialized blockchain forensics or analytics providers to begin near real-time tracing of funds across relevant chains and services. Identify which exchanges, bridges, or service providers received stolen funds and, where appropriate, notify their compliance teams with urgent freeze requests. Preserve system logs, access records, security tooling outputs, and any relevant communications for later analysis.
Legal, Regulatory, and Sanctions Response:
Notify relevant national cybercrime and financial-crime reporting channels, in line with local requirements. Engage legal counsel experienced in both cyber incidents and sanctions/AML issues to guide response strategy and communication with authorities. Assess potential sanctions exposure, especially where DPRK or other designated actors may be involved, and coordinate with counsel and regulators as needed. Review available options for civil litigation or recovery proceedings in jurisdictions where counterparties or assets may be reachable. Collect and organize documentation that may be needed for insurance claims, regulatory inquiries, or litigation.
Communications and Customer Management:
Prepare clear, factual notifications for affected customers that avoid speculation but provide enough detail to maintain trust. Coordinate public statements with legal counsel and, where advised, with law enforcement, to avoid compromising ongoing investigations. Establish dedicated support channels for affected users and document all remediation efforts, as this may be relevant for regulators and insurers.
Organizations should ensure that all response actions comply with applicable sanctions, AML, data-protection, and other regulatory regimes in their own jurisdictions.
What Sanctions Apply to North Korea-Linked Crypto Activity?
Over the past several years, OFAC and other authorities have constructed a detailed sanctions framework around North Korean cyber and crypto operations. This includes designations of specific North Korean cyber units and associated individuals, wallet addresses linked to major hacks once publicly attributed, cryptocurrency mixing services assessed to have been used extensively by DPRK-associated actors, and exchanges and OTC brokers believed to facilitate laundering for sanctioned entities.
For financial institutions and virtual asset service providers, these designations create direct compliance obligations. Transacting with listed entities or addresses, or processing funds that can be linked to them, may trigger regulatory consequences, even if the initial contact was unwitting. Comprehensive sanctions screening and transaction monitoring, using up-to-date data from analytics providers and official lists, is therefore essential.
Crypto Trace Labs maintains access to industry-leading blockchain analytics tools from Chainalysis and Elliptic that incorporate OFAC designation data, enabling real-time screening against sanctioned addresses.
Organizations should consult legal and compliance professionals to understand how sanctions regimes apply to their specific operations and jurisdictions.
How Do These Attacks Target Exchanges and Platforms?
Understanding how state-linked cyber groups typically gain access helps institutions strengthen defenses and aids investigators in reconstructing incidents.
Supply Chain Compromise: Instead of attacking an exchange directly, attackers may focus on third-party software, wallet infrastructure, or service providers that the exchange trusts. Compromising a developer or build pipeline can allow malicious code to be deployed in production systems.
Social Engineering: DPRK-linked actors have been reported to approach employees or contractors while posing as recruiters, business partners, or fellow developers, often over a prolonged period. The eventual goal is to deliver malware, obtain credentials, or convince targets to perform risky actions.
Insider or IT Worker Schemes: Public indictments and advisories have described schemes where North Korean nationals obtain remote work under false identities, sometimes using intermediaries. Such insiders can provide access, intelligence, or influence over critical systems.
Private Key Theft: In many cases, the ultimate technical objective is access to private keys controlling large pools of funds. This can result from endpoint compromise, poor key-management practices, or vulnerabilities in wallet infrastructure.
For detailed guidance on building a fraud prevention strategy, see our dedicated resource.
How Does State-Sponsored Recovery Differ From Typical Cases?
Incidents attributed to North Korean-linked actors differ from ordinary cybercrime in several important ways.
Typical cybercriminals are motivated by personal financial gain, may sometimes negotiate (as in ransomware cases), have limited resources, operate opportunistically, and can potentially be prosecuted. Recovery windows may extend days to weeks.
DPRK-linked attacks involve state revenue objectives, offer no negotiation possibility, deploy nation-state resources over multi-year campaigns, execute structured and consistently rapid laundering, and operate beyond the reach of most courts. Recovery windows compress to hours or days, and attribution is frequently addressed in public advisories.
Because the operators remain effectively beyond the reach of most criminal courts, traditional deterrence and prosecution options are limited. Recovery and disruption strategies must instead focus on monitoring, sanctions enforcement, and rapid action at exchanges, custodians, and infrastructure providers where stolen funds may transit.
What Role Do Blockchain Analytics Firms Play?
Specialized blockchain analytics companies like Chainalysis, Elliptic, and TRM Labs have become critical to both prevention and response in state-sponsored crypto theft cases. Their contributions typically include real-time or near real-time tracing of stolen funds across multiple blockchains and services, clustering and attribution that links on-chain activity to known threat actors or prior incidents, sanctions screening that enables exchanges and institutions to detect interactions with designated addresses, investigative support for law enforcement and victims including expert reports and testimony where appropriate, and risk scoring and monitoring tools that exchanges and other service providers can integrate into their compliance workflows.
In several high-profile incidents, analytics firms have publicly documented the flow of funds from major hacks, identified overlaps with earlier DPRK-linked infrastructure, and supported subsequent sanctions actions. For victims, engaging such support as early as possible increases the likelihood that suspicious flows are detected at compliant choke points.
What Insurance Options Exist for State-Sponsored Attacks?
Cyber and crime insurance policies differ widely in how they treat cryptocurrency losses and state-sponsored activity. Organizations with significant digital-asset exposure should review existing coverage and new policies with care.
Points to examine with brokers and counsel include whether the policy explicitly covers crypto-asset losses and under what conditions, how “acts of war,” “state-sponsored attacks,” or similar exclusions are defined and applied, whether coverage includes business interruption, incident-response costs, and legal expenses, what documentation, timelines, and notification steps are required after an incident, and whether the policy covers regulatory penalties, customer remediation, or only direct theft.
Major incidents have prompted insurers to reassess digital-asset risk models and capacity. Exchanges and institutional holders that demonstrate strong security controls, incident-response planning, and comprehensive compliance frameworks are often better positioned to secure and maintain coverage on acceptable terms.
Frequently Asked Questions
Has anyone ever recovered funds from North Korea-linked hacks?
Yes, there have been partial recoveries in some well-known cases. In certain incidents, exchanges have frozen incoming funds linked to hack addresses, and stablecoin issuers have frozen tokens associated with sanctioned actors at the request of law enforcement. However, given the speed and sophistication of laundering operations, full recovery is uncommon, and any recovered amount typically represents only a fraction of the initial loss. The most successful interventions occur within hours of theft detection.
Why can’t law enforcement simply arrest the hackers?
Public reporting and indictments indicate that many of the individuals involved in these operations are based in North Korea or operate under its protection. North Korea does not extradite suspects to Western jurisdictions and does not cooperate with most international law enforcement efforts. As a result, criminal indictments are often symbolic or aimed at constraining operators’ movements and financial options, while practical efforts focus on tracking and constraining stolen funds through sanctions and exchange cooperation.
How can I tell if my platform was targeted by North Korean-linked actors?
Attribution usually relies on a combination of technical analysis and intelligence work by blockchain analytics firms and government agencies. Investigators compare wallet clusters, malware, infrastructure, social-engineering patterns, and laundering behavior against previously observed DPRK-linked campaigns. Indicators can include the use of certain mixers or services known to feature heavily in prior DPRK-associated cases and overlaps with addresses referenced in public advisories. Engaging experienced forensics and legal counsel can help clarify attribution over time.
What if my exchange unknowingly receives funds later linked to a DPRK-associated hack?
Receiving funds derived from sanctioned activity can create sanctions and AML risk. Exchanges should have controls to detect and freeze suspicious deposits when possible, file required reports with regulators, and cooperate with law enforcement investigations. Having documented transaction-monitoring and sanctions-screening policies, and promptly adjusting to new advisories and designations, can help demonstrate that the institution is acting in good faith and in line with its obligations.
Can cryptocurrency really be traced through mixers?
While mixers and certain privacy tools are explicitly designed to increase on-chain anonymity, they do not guarantee perfect secrecy. Analytics firms and law enforcement have developed techniques to infer flows through such services using patterns of timing, amounts, transaction graphs, and auxiliary intelligence. Several mixers widely believed to have served DPRK-linked actors have been sanctioned or disrupted, illustrating that coordinated investigative and regulatory action can significantly degrade their effectiveness.
Should individual investors be worried about these attacks?
Most DPRK-associated campaigns focus on high-value institutional or infrastructure targets, such as exchanges, custodians, or bridges. However, individual users can still be affected indirectly when a custodial platform suffers a breach or when wallets are compromised through phishing or malicious updates. Good security practices such as using hardware wallets for significant holdings, enabling strong authentication, and remaining skeptical of unsolicited job or investment offers remain important for individuals.
How long do I have to act if my organization is hacked?
In practice, the most critical period for potential intervention is the first several hours to a few days after an incident is detected. The initial days often see the most intense movement and conversion of assets. While investigative work continues beyond that point, the probability of successfully freezing significant amounts decreases as funds move through additional layers and reach non-cooperative entities. Incident-response playbooks should be designed so that key technical, legal, and communications steps can be initiated immediately.
What Should You Do Next?
This guide was prepared by the team at Crypto Trace Labs, drawing on 10+ years of crypto and financial crime experience. Our founders held VP and Director positions at Blockchain.com, Kraken, and Coinbase, and hold ACAMS certifications, MLRO qualifications across UK, US, and Europe, and Chartered status at Fellow Grade. We have provided expert witness testimony in court proceedings and maintain executive-level contacts at major exchanges for expedited cooperation during investigations.
In suspected North Korea-linked or other complex cases, we can support rapid forensic assessment and fund-flow tracing, coordinate with exchanges, custodians, and analytics partners to help identify and freeze suspicious flows where possible, work alongside your legal and compliance teams to ensure response actions align with applicable laws and sanctions regimes, and provide expert analysis and testimony to support investigations, litigation, or regulatory engagement.
If your organization has experienced a cryptocurrency theft – whether or not North Korean involvement is suspected – early professional support can materially improve your understanding of the incident and your chances of mitigating impact. We offer no upfront charge for non-custodial wallet recoveries – you only pay after successful fund recovery.
Contact Crypto Trace Labs for confidential consultation on cryptocurrency theft response and investigations.
This content is for general informational purposes only. It does not constitute legal, financial, tax, or compliance advice, and it should not be relied upon as a substitute for advice from qualified professionals familiar with your specific circumstances. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors.
