The Lazarus Playbook: How North Korea Funds Its Weapons Program Through Cybercrime
February 14, 2021 - “Chainalysis: Lazarus Is to Blame for Last Year’s KuCoin Crypto Theft” (Chainalysis)
November 4, 2024 - “North Korea tells UN it is speeding up nuclear weapons programme” (The Guardian)
January 16, 2025 - “Biden signs executive order to bolster national cybersecurity” (Bleeping Computer)
January 18, 2025 - “Trump launches cryptocurrency with price rocketing” (BBC)
What ties these headlines together?
2024 was nothing short of a roller coaster for those of us who follow the intersection of technology and global affairs. We saw cryptocurrency thefts hit new highs, nation-states weaponizing the internet with increasing aggression, and governments worldwide racing to keep pace with a rapidly evolving threat landscape. And now, just weeks into 2025, it shows no signs of slowing down. Within the span of seven days, Donald Trump launched his own cryptocurrency—$Trump—causing its price to skyrocket, while North Korea has continued to make headlines for its renewed push toward nuclear weapons development.
In tandem, we’re seeing that cyber threats are increasing in numbers and sophistication. Everything is getting faster, new threats are emerging, and the attack surface is growing.
One such player is the Lazarus Group- the main focus of my senior thesis, “Digital Frontlines: The Emerging Role of Cryptocurrencies in Hybrid Warfare & Geopolitics” and a group I have been following closely since December 2022. Backed by North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB), Lazarus operates as an Advanced Persistent Threat (APT) group with a singular focus: using cybercrime to fund North Korea’s nuclear and military ambitions.
What does this mean for the rest of us? Let’s take a closer look.
What is the Lazarus Group?
The Lazarus Group is not just one group—it’s a sprawling network, or rather, a web, of criminal affiliates operating under the umbrella of North Korea’s state-sponsored cyber program. Affiliates like UNC038, UNC050, and Bluenoroff all share a singular mission: to carry out cybercrime that generates massive revenue streams for North Korea’s strategic objectives.
If the name Lazarus Group doesn’t ring a bell, their handiwork probably does. Their debut on the global stage came in 2014 with the infamous Sony Pictures hack. Following the release of The Interview, a satirical comedy that mocked North Korean leader Kim Jong Un, Sony became the target of a devastating cyberattack. Hackers leaked unreleased films, destroyed thousands of computers, and exposed the personal information of employees. Since then, their fingerprints have been found on some of the most audacious cyberattacks in history. From massive ransomware campaigns to sophisticated cryptocurrency heists, the Lazarus Group has evolved into one of the world’s most dangerous Advanced Persistent Threat (APT) groups.
The true identities of Lazarus Group members remain a mystery. It’s believed they operate under the direction of North Korea’s Reconnaissance General Bureau (RGB), the country’s intelligence agency. While their anonymity is well-guarded, one name has emerged: Park Jin Hyok, a suspected Lazarus member wanted by the FBI. He is accused of conspiracy to commit wire fraud, bank fraud, and computer-related crimes, and his involvement in multiple high-profile attacks underscores the group’s reach and sophistication.
Why Cryptocurrency?
Lazarus Group’s operations have increasingly turned to cryptocurrency—a decentralized, borderless financial system that thrives on anonymity and lacks centralized oversight. Its open-source nature allows anyone to participate, which has created a perfect environment for threat actors like Lazarus to exploit.
Lazarus has targeted virtually every corner of the cryptocurrency ecosystem, including Non-Fungible Tokens (NFTs), cross-chain bridges, and online gaming platforms (Mandiant 2023). These platforms often contain vulnerabilities that allow hackers to siphon off funds undetected, and Lazarus has turned these flaws into billions.
Lazarus’ success in this arena is staggering. In 2022 alone, they shattered their previous records, stealing an estimated $1.7 billion in cryptocurrency—cementing their status as one of the world’s most prolific cybercrime syndicates. Fast forward to today, and their pace has only accelerated. Over the past two years, I’ve observed a dramatic uptick in their activity: 290 recorded incidents in 2022 ballooned to 613 in 2023, followed by 596 in 2024. And now, with just 19 days into 2025, Lazarus is already credited with 27 new attacks—numbers that only reflect what’s been detected. The reality is likely far worse.
So where is all this money going?
Here’s a hint: take another look at headline two. Now, consider that North Korea’s nuclear weapons program is its number one expense, and the fact that the international community has long imposed strict economic sanctions to try to curtail these efforts—sanctions that are meant to cut off critical imports and access to traditional funding mechanisms. Yet, cryptocurrency has opened a back door—a loophole in the sanctions regime that Lazarus exploits with chilling efficiency.
Through their operations, Lazarus is funneling billions into North Korea’s weapons development, circumventing global restrictions with alarming ease. Cryptocurrency theft funds everything from research and development to missile construction, allowing the regime to continue its quest to destabilize global security despite international efforts to curb it.
So, what happens when you give a rogue state access to high cash flows? They launder those funds immediately to buy equipment overseas that are used to build missiles. An interview by "Lazarus Heists," hosted by Jean Lee and Geoff White, put this into perspective for me. They interviewed a former North Korean diplomat-turned defector, who once managed trade relations with international business partners He divulged a large part of his job was finding “dual-use” items, such as spray dryers (machines used to make baby powder) and MRI scanners—parts that could be used for reasonable functions, but also are critical parts needed to build sophisticated missiles.
Here’s where things get even more surreal. The sanctions imposed on North Korea to curb its nuclear ambitions aren’t working—they are only encouraging its overseas partners to demand higher premiums. And North Korea has billions of cryptocurrencies in stock to finance this.
Hence, it can come to no one’s surprise that North Korea has been bolstering its missile and nuclear weapons programs with alarming ease. Why would it slow down if there are no tangible friction points in their operations—no watchdog powerful enough, no coalition coordinated enough, no policy aggressive enough to stand in its way?
At this point, I wouldn’t blame you if your head is spinning. Mine did too, when I first started learning about this. The scale and audacity of Lazarus Group’s operations, coupled with North Korea’s ability to circumvent sanctions, makes the problem feel insurmountable. But here’s the good news: all hope is not lost.
Task forces like those at Chainalysis and Mandiant are striking back—and with profound precision. These teams work closely with the Department of the Treasury and other international partners to identify stolen funds, track the movement of illicit cryptocurrency, and even claw some of it back. Just last year, Chainalysis helped recover $30 million from Lazarus’ notorious Axie Infinity Ronin Bridge hack.
Executive Order on Cybersecurity
The Biden administration’s recent executive orders on cybersecurity marked a significant step in bolstering defenses against threats like those posed by Lazarus. These policies prioritized stronger public-private partnerships, encouraged information sharing across sectors, and embraced a proactive “defend forward” strategy—an approach that seeks to disrupt cyber adversaries before they can launch attacks. By empowering agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and working closely with private companies, the administration signaled its commitment to staying ahead of increasingly sophisticated cyber threats.
But as the U.S. transitions to a new administration, it’s hard not to wonder: will these measures continue? Will the Trump administration embrace the same proactive strategy, or pivot to a more hands-off approach? Trump’s previous record raises valid concerns. His administration often prioritized deregulation and placed more trust in private-sector autonomy to manage cybersecurity challenges. While this can foster innovation, it risks creating a patchwork system of inconsistent protections, leaving critical gaps that adversaries can exploit.
Concluding Thoughts
For as long as Lazarus is on the offense, are we to wait and play defense? Is that enough?
As I continue to follow this story, I find myself increasingly drawn to the work of those on the frontlines—security professionals who dedicate their careers to trace and cut through these sophisticated webs of financial crime, such as Dave Wong, the Director of Mandiant (now Google Cloud). I hope to one day interview the folks behind these operations to better understand the challenges they face and the tactics they employ to fight back against Lazarus and its ilk.
For now, the story is far from over. The Biden administration’s proactive measures showed the power of a coordinated, forward-looking cybersecurity strategy. If those policies are set aside, the U.S. risks losing the momentum it has gained in combating state-sponsored cybercrime—and the cost of that could be measured in stolen billions and diminished national security. The Lazarus Group isn’t slowing down, North Korea’s ambitions aren’t shrinking, and the question remains: how do we stop a rogue state that has mastered the art of using cyberspace as a battlefield?
Stay tuned.
