What Happened
In December 2025, blockchain intelligence firm Chainalysis published its year-end assessment 1 of DPRK crypto operations. The numbers are bad: North Korean state-sponsored hackers stole $2.02 billion in cryptocurrency across the year, making 2025 the most severe year on record for DPRK-linked theft by value. The cumulative lower-bound estimate for all North Korean crypto theft now stands at $6.75 billion.
The February 2025 Bybit breach accounts for $1.5 billion of that total — the single largest cryptocurrency heist in history. But it wasn’t an isolated event. Fireblocks reported 2 that total crypto theft across all actors reached $3.4 billion in 2025, meaning North Korea was responsible for roughly 60% of the global total. Between June and September 2025 alone, Lazarus executed at least five major operations.
The acceleration is the story. In 2023, major Lazarus heists occurred roughly once every six months. By 2025, the tempo had increased to approximately one every 20 days. This isn’t a crime spree. It’s an industrialized state operation running on shifts, with business development teams, revenue targets, and a laundering infrastructure that would rival a multinational bank.
Why It Matters
The Lazarus Group (also known as TraderTraitor, APT38, Jade Sleet, and HIDDEN COBRA) operates under North Korea’s Reconnaissance General Bureau. Every dollar stolen funds the regime’s nuclear weapons program. The FBI, 3 the UN Security Council, and multiple national intelligence agencies have documented this pipeline directly. There is no ambiguity about where the money goes.
What makes Lazarus uniquely dangerous is its operating environment. North Korea has no extradition treaties. No Interpol cooperation. No financial system to freeze. The U.S. Treasury has sanctioned over 100 Lazarus-linked wallets, but the group simply generates new ones. They operate with total impunity, and their mission isn’t profit for personal enrichment — it’s national survival.
The Bybit hack is the template. Lazarus didn’t break the cryptography. They didn’t exploit a smart contract vulnerability. They compromised a single developer’s laptop at Safe, the third-party wallet software Bybit used for cold storage. The attacker injected malicious code into the transaction interface so that when Bybit’s CEO approved what appeared to be a routine internal transfer, the funds were routed to Lazarus-controlled wallets instead. The multisig system approved the transaction because it looked legitimate to every signer.
This pattern, social engineering over technical exploitation, now defines the majority of Lazarus operations. They impersonate recruiters on LinkedIn and Upwork. They send fake job offers containing malware to developers. They embed operatives as IT contractors inside crypto companies using stolen Western identities. Security Alliance reported 5 in late 2025 that DPRK-linked actors are increasingly operating as recruiters themselves, approaching freelancers with scripted pitches.
Stolen funds follow a documented 45-day multi-wave laundering pathway. 4. In the first five days, assets are immediately fragmented across dozens of wallets through DeFi protocols and mixing services. By day ten, funds shift to exchanges, cross-chain bridges, and second-tier mixers. By day 45, the assets reach Chinese-language OTC brokers and specialized marketplaces for final conversion to fiat. After the Bybit hack, 86% of the stolen ETH had been converted to Bitcoin within a month 6 through this infrastructure.
What This Means for You
If you hold Bitcoin on an exchange, you are trusting that exchange’s entire supply chain — every developer, every contractor, every third-party software provider — to withstand attacks from a nation-state with unlimited patience and no consequences for failure. The Bybit hack proved that even multisig cold storage with institutional security practices can be defeated by compromising a single human in the chain.
Self-custody doesn’t make you immune, but it fundamentally changes your threat model. You are no longer exposed to the supply-chain risk of every vendor your exchange uses. Your risk surface shrinks to your own devices, your own operational discipline, and your own key management. That’s a solvable problem. Defending against a state-sponsored attacker embedded inside your custodian’s software provider is not.
Verify everything. If you use multisig, verify transaction details on the hardware device itself — not on the screen of the computer that initiated the transaction. The Bybit attack succeeded precisely because the screen lied. The hardware wallet is your last honest witness.
What to Watch
Lazarus is expected to expand targeting to stablecoin issuers, DeFi protocols, and CBDC pilot programs in 2026. The IT worker infiltration program is scaling — North Korean operatives are now being discovered inside companies months after hiring. And the laundering infrastructure is growing harder to trace, with Huione and similar platforms processing billions in illicit flows with minimal friction. The arms race between state-sponsored theft and institutional security is accelerating. Your custody decisions should reflect that reality.