Demystifying the North Korean Threat

03.31.2025|samczsun

One fateful morning in February, the SEAL 911 group lit up as we watched in confusion while Bybit withdrew over 1B USD of tokens from their cold wallet into a brand new address, only to promptly begin liquidating over 200M USD of LSTs. Within minutes, we had confirmation from both the Bybit team, as well as independent analysis (the multisig, which previously was using a publicly verified implementation of Safe{Wallet}, was now using a newly deployed unverified contract), that this was in fact not routine maintenance. Someone had pulled off the biggest hack in cryptocurrency history, and we had a front-row seat.

While part of the team (along with the wider sleuthing community) got to work tracing the funds and sending out notifications to partnered exchanges, the rest of the team was trying to figure out what exactly happened, and whether any other funds were at risk. Fortunately, identifying the perpetrator was easy. Over the past few years, only one known threat actor had successfully stolen billions of dollars from cryptocurrency exchanges: North Korea, also known as the DPRK.

However, beyond that, we had very little to work with. Not only would identifying the root cause of the compromise be challenging due to the sophistication of the DPRK hackers and how well they clean up after themselves, but even knowing which specific team within the DPRK was responsible was challenging. All we had to rely on was existing intelligence, which suggested that DPRK really liked compromising cryptocurrency exchanges via social engineering, so we considered it likely that DPRK had compromised the Bybit multisig signers and then deployed some malware to interfere with the signing process.

This couldn’t have been further from the truth. As we found out a few days later, DPRK had actually compromised the infrastructure of Safe{Wallet} itself, and had deployed a malicious payload specifically targeting Bybit. This was a level of sophistication that no one had considered or been prepared for, and it was a major update to many of our threat models.

DPRK hackers are an ever-growing threat against our industry, and we can’t defeat an enemy that we don’t know or understand. There are plenty of documented incidents and writeups of the various facets of DPRK cyber operations, but they’re difficult to piece together. I hope that this overview can provide a more comprehensive understanding of how the DPRK operates and what their tactics and procedures are, which in turn will make it easier to implement the correct mitigations.

Organizational Structure

Perhaps the biggest misconception to address is simply how to classify and name the vast range of DPRK cyberactivity. While using the term “Lazarus Group” colloquially is acceptable, it helps to be more rigorous when discussing the DPRK in detail.

To start, it helps to have an understanding of the North Korean “org chart”. At the top is the ruling (and only) party of North Korea, the Workers’ Party of Korea (WPK), under which all North Korean government institutions operate. These include the Korean People’s Army (KPA) as well as the Central Committee. Within the KPA is the General Staff Department (GSD), home to the Reconnaissance General Bureau (RGB). Under the Central Committee is the Munitions Industry Department (MID).

The RGB is responsible for almost all North Korean cyber warfare, including nearly all North Korean activity observed in the cryptocurrency industry. In addition to the infamous Lazarus Group, other threat actors that have emerged from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID is responsible for North Korea’s nuclear missiles program, and is the primary source of North Korean IT workers, tracked within the intelligence community as Contagious Interview and Wagemole.

Lazarus Group

Lazarus Group is a highly sophisticated hacking group to whom cybersecurity experts have attributed some of the largest and most devastating hacks in history. Lazarus Group was first identified by Novetta in 2016 during their analysis of the Sony Pictures Entertainment (Sony) hack 1.

In 2014, Sony had been in the process of producing The Interview, an action comedy film whose central plot point was the humiliation and subsequent assassination of Kim Jong Un. Understandably, this was not well received by the regime, which retaliated by hacking into Sony’s network, stealing terabytes of data, leaking hundreds of gigabytes of confidential or otherwise sensitive information, and deleting the original copies 2. As then-CEO Michael Lynton put it, “the folks who did this didn’t just steal practically everything from the house; they burned the house down 3”. Ultimately, the attack cost Sony at least 15MM USD in investigation and remediation 4, and presumably more in damages.

Then, in 2016, a threat actor with remarkable degrees of similarity to Lazarus Group hacked the Bank of Bangladesh with the goal of stealing almost 1B USD 5. Over the course of a year, the threat actors worked to social engineer employees at the Bank of Bangladesh, ultimately securing remote access and pivoting within the bank’s internal network until arriving at the computers responsible for interfacing with the SWIFT network. From there, they waited for the perfect opportunity to strike: the Bank of Bangladesh closes for the weekend on Thursday, but the New York Federal Reserve closes for the weekend on Friday. On Thursday evening, Bangladesh local time, the threat actor used their access to the SWIFT network to send 36 separate transfer requests to the New York Federal Reserve, where it was Thursday morning, local time. Over the next 24 hours, the New York Fed forwarded these transfers to the Rizal Commercial Banking Corporation (RCBC) in the Philippines, which began actioning them. Then, when the Bank of Bangladesh reopened to discover the hack, they attempted to notify RCBC to halt the transactions in progress only to find that RCBC had closed for the long weekend due to the Chinese New Year.

Finally, in 2017, the massive WannaCry 2.0 ransomware attack, which devastated industries around the world, was attributed in part to Lazarus Group 6. Estimated to cause billions of dollars in damages, WannaCry exploited a 0day in Microsoft Windows originally developed by the NSA in order to not only encrypt the local device but also spread itself to other reachable devices, ultimately infecting hundreds of thousands of devices around the world. Fortunately, the damage was limited due to the kill switch which was discovered and activated within eight hours by security researcher Marcus Hutchins 7.

Throughout Lazarus Group’s history, they’ve demonstrated a high degree of technical competence and ability to execute on their goals, one of which is to generate revenue for the North Korean regime. Therefore, it was only a matter of time before they turned their attention to the cryptocurrency industry.

Spinout

Over time, as Lazarus Group became a catch-all term preferred by media when describing DPRK cyberactivity, the cybersecurity industry created more precise designations for specific activity out of Lazarus Group and the DPRK. Such is the case with APT38, which spun out of Lazarus Group in around 2016 in order to focus on financial crimes, targeting banks (such as the Bank of Bangladesh) first, then cryptocurrency later. Later, in 2018, a new threat designated as AppleJeus was identified to be spreading malware targeted towards cryptocurrency users 8. Finally, North Koreans posing as IT workers have permeated the tech industry since as early as 2018, when OFAC first announced sanctions against two front companies used by the North Koreans 9.

North Korean IT Workers

Although the earliest documented reference to North Korean IT workers comes from the 2018 OFAC sanctions, the 2023 report from Unit 42 goes into more detail and identifies two distinct threat actors: Contagious Interview and Wagemole 10.

Contagious Interview is known to pose as recruiters for well known companies in order to ensnare developers into a fake interview process. From there, prospective candidates are instructed to clone a repository for local debugging, ostensibly as a coding challenge, but in reality the repository contains a backdoor which, when executed, gives over control of the affected machine to the attackers. This campaign has been ongoing and has been documented as recently as August 2024 11.

On the other hand, the primary goal of Wagemole operatives isn’t to hire potential victims, but rather be hired into companies instead, where they simply work as normal, although perhaps less-than-effective, engineers. That being said, there have been documented incidents of IT workers leveraging their access offensively, such as in the Munchables incident, where an employee with links to DPRK activity leveraged their privileged access to the smart contracts in order to steal all the assets.

Wagemole operatives can range in degrees of sophistication, from cookie-cutter resume templates and an unwillingness to participate in video calls to highly tailored resumes, deepfake video interviews, and identifying documents such as drivers licenses and utility bills. In some cases, operatives remained embedded within victim organizations for up to a year before leveraging their access to compromise additional systems and/or cash out entirely.

AppleJeus

AppleJeus is primarily focused on distributing malware and specializes in complex supply chain attacks. In 2023, the 3CX supply chain attack allowed attackers to potentially infect the more than 12 million users of the 3CX VoIP software 12, but it was later discovered that 3CX themselves had been compromised through a supply chain attack affecting one of their upstream vendors, Trading Technologies 13.

Within the cryptocurrency industry, AppleJeus started out by distributing malware packaged as legitimate looking software, such as trading software or cryptocurrency wallets. However, over time, their tactics evolved. In October 2024, Radiant Capital was compromised through malware delivered over Telegram from a threat actor impersonating a trusted contractor, which Mandiant attributed to AppleJeus 14.

Dangerous Password

Dangerous Password is responsible for low-sophistication social engineering based attacks within the cryptocurrency industry. As early as 2019, Dangerous Password was documented by JPCERT/CC to be sending phishing emails with enticing attachments for users to download 15. In previous years, Dangerous Password was responsible for phishing emails impersonating prominent figures within the industry with subject lines such as “Huge Risk of Stablecoins and Crypto Asset” 16.

Today, Dangerous Password continues to send phishing emails, but has also evolved to other platforms. For example, Radiant Capital reported that they were compromised through a phishing message via Telegram from someone impersonating a security researcher distributing a file called “Penpie_Hacking_Analysis_Report.zip” 17. Additionally, users report being contacted by individuals impersonating journalists and investors who ask to schedule a call using an obscure video conferencing app. Like Zoom, these apps will download a one-time installer, except that upon running, malware will be installed on the device.

TraderTraitor

TraderTraitor is the most sophisticated DPRK threat actor targeting the cryptocurrency industry, and was responsible for the hacks against Axie Infinity and Rain.com, among others 18. TraderTraitor almost exclusively targets exchanges and other companies with large reserves and does not deploy 0-days against its targets, but rather employs highly sophisticated spearphishing techniques against its victims. In the case of the Axie Infinity hack, TraderTraitor reached out to a senior engineer via LinkedIn and successfully convinced them to go through a series of interviews before sending an “offer” which delivered the malware 19. Then, in the WazirX hack, TraderTraitor operatives compromised an yet-to-be-identified component of the signing pipeline, then caused WazirX engineers to conduct a cold-to-hot wallet rebalance by depleting the exchange’s hot wallet through repeated deposits and withdrawals 20. When the WazirX engineers attempted to sign the transaction to transfer funds, they were instead tricked into signing a transaction that transferred control of their cold wallet over to TraderTraitor. This mirrors closely the exploit against Bybit from February 2025, where TraderTraitor first compromised the Safe{Wallet} infrastructure through a social engineering attack before deploying malicious JavaScript to the Safe{Wallet} frontend designed specifically to target Bybit’s cold wallet 21. When Bybit went to rebalance their wallets, the malicious code activated and instead caused the Bybit engineers to sign a transaction that handed over control of their cold wallet.

Staying Safe

North Korea has demonstrated the ability to deploy 0-days against its adversaries, but there have been no recorded or known incidents of North Korea deploying 0-days against the cryptocurrency industry. As such, for almost all DPRK threat actors, the typical security advice applies.

For individuals, use common sense and be wary of social engineering tactics. For example, if someone claims to have some highly confidential information that they’re willing to share with you, be cautious. Alternatively, if someone is applying time pressure against you to download and run some software, consider whether they’re trying to put you in a position where you’re not thinking logically.

For organizations, apply the Principle of Least Privilege where possible. Minimize the number of people with access to sensitive systems, and ensure that they are using a password manager and 2FA. Maintain separate personal and work devices, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) software on the work devices for security pre-hack, and visibility post-hack.

Unfortunately, for large exchanges or other high-value targets, TraderTraitor defies expectations and norms even without the need for 0-days. As such, additional precautions must be taken to ensure that no single point of failure exists such that a single compromise can cause total loss of funds.

However, even when all else fails, there may be hope still. The FBI has a unit dedicated to tracking and preventing DPRK intrusions, and has been conducting victim notifications for years now 22, and recently I’ve had the pleasure of helping connect agents from that unit with potential DPRK targets. As such, to prepare for the worst, make sure you either have publicly available contact information, or that you’re connected with sufficient people within the ecosystem (such as SEAL 911) so that a message traversing the social graph will find its way to you with minimal delay.


Copyright © 2025 Paradigm Operations LP All rights reserved. “Paradigm” is a trademark, and the triangular mobius symbol is a registered trademark of Paradigm Operations LP