Lazarus Group: North Korea's Crypto Army

A state-sponsored hacking unit that has stolen over $6 billion in crypto to fund a nuclear program.

The Lazarus Group is not a person - it's a cyber army. Operated by North Korea's Reconnaissance General Bureau (their intelligence agency), Lazarus has become the most prolific and successful crypto theft operation in history. They don't hack for profit. They hack to fund a nuclear weapons program.

Lazarus first hit crypto in 2017, targeting South Korean exchanges. They stole an estimated $200 million from exchanges including Youbit (which went bankrupt), Bithumb, and others. Their techniques evolved rapidly: spear-phishing campaigns targeting exchange employees, fake job interviews that delivered malware, and supply chain attacks through compromised software.

By 2022, Lazarus had graduated to the big leagues. They were behind the $624 million Ronin Bridge hack (Axie Infinity's blockchain bridge), the $100 million Harmony Horizon Bridge hack, and numerous other DeFi exploits. The UN estimated that North Korean hackers had stolen $1.7 billion in crypto by 2022 alone.

Then came the Bybit hack. In February 2025, Lazarus compromised Bybit's infrastructure through a sophisticated supply chain attack targeting the Safe{Wallet} UI. They stole approximately $1.5 billion in a single operation - the largest crypto hack in history. The stolen ETH was rapidly laundered through mixers and cross-chain bridges.

US authorities estimate that Lazarus Group-affiliated hackers have stolen over $6 billion in crypto total. The funds directly finance North Korea's weapons programs. Unlike every other criminal on this list, Lazarus can't be arrested - they operate under the protection of a sovereign state. They are crypto's permanent, unkillable threat.