Lazarus, a North Korean hacking group, is reportedly ratcheting up its efforts to steal cryptocurrency amid North Korea’s economic difficulties due to the COVID-19 pandemic and economic sanctions imposed on the country.

“The APT (adaptive persistent threats) hacking group Lazarus, which is allegedly sponsored by a certain government [North Korea], is increasingly engaging in cybercrime activities in and out of South Korea,” according to an Apr. 27 press release from ESTsecurity, a cyber security firm located in Seoul.

Lazarus is the infamous hacking group responsible for the 2014 Sony Pictures hack and 2016 Bangladesh Bank cyber heist. 

According to the press release, the primary targets of these attacks are people who have traded cryptocurrencies, such as Bitcoin, and those who work in the cryptocurrency field. The company warned that these attacks could lead to financial damage.

“Lazarus is carrying out APT attacks not only in South Korea but also in the international sphere, including the United States,” the ESTsecurity press release explained. “They are also engaging in cyber-espionage operations as well as activities designed to generate foreign currency.”

The press release also went on to explain that “malicious emails used in these attacks mention companies that provide electronic payment services. The hackers attached malicious files disguised as blockchain software development contracts from those payment companies and induced the targets into opening them.”

ESTsecurity’s report explained these attacks use “spear phishing,” where a scammer baits victims using information specific to their interests after obtaining detailed information on them.

These days, Lazarus is strongly committed to cryptocurrency heist campaigns focused on virtual currencies that are hard to track and cryptocurrency exchanges, which are more vulnerable to hacks than conventional financial institutions like banks.

From 2017 to 2018, Lazarus was among three North Korean hacking groups that managed to steal USD 571 million in cryptocurrency from five exchanges in Asia, according to the “National Strategy for Combating Terrorist and Other Illicit Financing 2020” report released by the US Treasury Department in February.

Analysts say that stealing cryptocurrency could bring enormous profits to a country now completely isolated from the rest of the world following the closure of the Sino-North Korean border in late January due to the COVID-19 pandemic. 

Security experts are emphasizing that joint countermeasures should be taken against North Korean cyber attacks, which are connected to other North Korean espionage groups such as Kimsuky, Kony, and Gumsong 121.

“Along with Kimsuky, Koni and Gumsong 121, Lazarus has been engaging in a variety of APT attacks against South Korea and others,” said Mun Chong Hyun, the head of the ESTsecurity Security Response Center (ESRC). “It is important that we systematically study these organizations and take countermeasures against them.”

*Translated by Seongjin Park

Please direct any comments or questions about this article to

Read in Korean