Lazarus Group — the collective that public attribution links to North Korea's Reconnaissance General Bureau, with sub-clusters tracked as APT38, TraderTraitor, and AppleJeus — spent 2024 and 2025 running the highest-value sustained campaign in cybercrime history. Chainalysis's February 2025 Crypto Crime Report estimated USD 1.34 billion in 2024 thefts attributable to DPRK-linked actors across 47 incidents, and the record-setting Bybit exchange theft of USD 1.46 billion on 21 February 2025 (acknowledged by Bybit CEO Ben Zhou and attributed by the FBI on 26 February 2025 in a public advisory) extended the pattern into early 2026.
This post synthesizes what the FBI, Treasury OFAC, Chainalysis, TRM Labs, Mandiant, and Google TAG have publicly documented. The focus is on the supply chain and identity mechanisms Lazarus uses — because the payload is theft, but the methods are indistinguishable from what nation-state espionage actors use to breach traditional enterprises.
What does the Lazarus 2024-2025 target list look like?
The public ledger of DPRK-attributed financial operations in 2024-2025 includes the DMM Bitcoin compromise (USD 308 million, disclosed 31 May 2024 and attributed to TraderTraitor/Lazarus by the FBI in an 23 December 2024 joint advisory with NPA Japan and DC3), the WazirX breach (USD 234 million, 18 July 2024, attributed by Elliptic and TRM Labs in August 2024 reporting), the Radiant Capital compromise (USD 50 million, 16 October 2024, attributed in Radiant's post-mortem and by Mandiant), and the Bybit theft (USD 1.46 billion, 21 February 2025, attributed by the FBI as PIN-AN-250226).
Smaller incidents — CoinEx, HECO Bridge, Orbit Chain, Alphapo — populate the long tail. Chainalysis's 2024 mid-year and year-end reports documented attribution methodology based on on-chain clustering that ties wallet infrastructure across incidents.
The pattern across targets: centralized crypto exchanges, DeFi protocols with governance-key custody weaknesses, bridge operators, and the individuals who hold signing authority in those organizations. The delivery mechanism is almost always social engineering against engineers and operations staff.
How did the Bybit theft actually happen?
Bybit's own incident writeup, Bybit's SAFE wallet provider (Safe.global), and independent analysis by Bitrace and SlowMist together describe the attack chain. Bybit used Gnosis SAFE multisig wallets for cold-storage management. The attackers compromised the SAFE front-end UI that Bybit operations personnel used to approve transactions — specifically the JavaScript served from safe.global's infrastructure — and replaced the transaction data presented to signers with a malicious delegatecall that changed the wallet's implementation contract to one controlled by the attacker.
The signers, seeing what looked like a legitimate transaction in their Ledger hardware-wallet screens, approved it. The underlying call rewrote the wallet logic. Minutes later the attacker drained ETH and ERC-20 tokens to a fresh address. The FBI's 26 February 2025 advisory named the technique explicitly and attributed it to TraderTraitor.
What stands out: this was a software supply chain attack against a self-custody multisig UI. The wallet's smart contract was not exploited. The hardware wallet was not compromised. The operations personnel did exactly what their procedures told them to do. The attack happened at the browser-delivered JavaScript that sat between the signer and the transaction data.
How does Lazarus deliver initial access to engineering teams?
The Contagious Interview cluster (documented by Palo Alto Unit 42 throughout 2023-2024) and the BeaverTail/InvisibleFerret malware families (named by Unit 42 and by JAMF in 2024 research) describe the most common initial-access route against crypto-sector engineers. A fake recruiter contacts the target on LinkedIn, Discord, or Telegram with a "senior developer" role at a plausible firm. The conversation moves to a coding challenge delivered as a GitHub repo or an npm package. The install-time script executes BeaverTail, which establishes persistence and drops InvisibleFerret as a second-stage implant.
Mandiant's 2024 reporting on UNC4899 (the DPRK cluster that compromised JumpCloud in June 2023 and that has been active against Web3 companies throughout 2024) describes a parallel route: compromise an engineer's development machine, pivot through stored credentials to SaaS and infrastructure accounts, and from there reach the exchange's signing or approval workflows.
The DPRK IT worker fraud — where DPRK nationals obtain remote software engineering jobs under fake identities — provides an inside-track option. The FBI/State Department guidance updated in 2024 and the DOJ's 2024-2025 indictments (including the July 2024 Arizona laptop-farm case and the August 2024 District of Maryland charges) establish the legal and operational picture.
What on-chain infrastructure does Lazarus use?
TRM Labs, Chainalysis, and Elliptic have all documented the laundering pattern. Stolen funds move through mixers (Sinbad before its March 2024 sanctioning, YoMix and eXch afterward), chain-hopping through Thorchain and instant-swap services, and eventual off-ramping through OTC traders and exchanges with weaker KYC.
Treasury OFAC has sanctioned multiple relevant entities and individuals. The November 2023 Sinbad designation, the May 2024 OFAC action against three DPRK-linked individuals supporting ballistic missile programs, and the 2024 joint advisory with Chainalysis on DPRK-linked wallet infrastructure give defenders and compliance officers a concrete indicator set.
What controls break the Bybit-class attack pattern?
Three controls, applied together, would have prevented the Bybit incident and would prevent the next. First, client-side transaction verification that does not depend on the signer's browser. Hardware wallets with "clear signing" (where the device displays the full transaction data, including decoded calldata, and the user compares the device's display to a separately-rendered transaction) neutralize browser-UI compromise. Ledger's Ethereum app supports this for most standard operations; the work is ensuring operations staff use it and are trained to recognize unparseable calldata as a red flag.
Second, transaction simulation on an out-of-band system. Services like Tenderly and Wallet Guard simulate a transaction's effect before signing; if the simulation shows an implementation-contract change, the operations team halts. Bybit's post-incident statements indicate simulation was not a standard step in their approval workflow.
Third, engineering endpoint hygiene that matches enterprise standards. EDR on every workstation with signing access, application control on package-manager install scripts, hardware-backed SSH keys, ephemeral cloud credentials via OIDC, and per-project dependency isolation. The crypto sector's historical tolerance for developer-owned, EDR-free machines is the single largest contributing factor to the 2024-2025 theft volume.
How do these attacks implicate traditional financial services?
The techniques do not stop at crypto. Lazarus sub-clusters have targeted SWIFT-connected banks (the 2016 Bangladesh Bank heist set the template), payment processors, and fintech APIs for a decade. CISA's AA23-187A (July 2023) and AA24-241A (August 2024) catalog DPRK techniques against banking and financial services, and FinCEN's 2024 advisory on DPRK illicit finance (FIN-2024-A003) gives the regulatory frame.
The supply chain angle transfers cleanly. A traditional bank that uses third-party SaaS for wire-approval workflows, a compromised front-end JavaScript layer, or an insufficiently verified hardware-based approval flow faces the same class of risk Bybit did. The control set — clear signing, simulation, endpoint hygiene, vendor attestation — ports directly.
What does the 2025-2026 regulatory response look like?
OFAC's 2024-2025 sanctioning cadence continues to target DPRK-linked laundering infrastructure. The Treasury-Commerce-State 2023 DPRK IT worker advisory has been updated multiple times, and the FinCEN 2024 advisory on DPRK cryptocurrency theft created specific SAR filing expectations for exchanges and virtual asset service providers.
SEC's 2024 settlement with R.R. Donnelley over the November 2021 ransomware incident (SEC admin proceeding 3-21969, June 2024) demonstrates how the SEC's Cybersecurity Disclosure Rule interacts with financial-sector breaches. A Lazarus-class intrusion at a public-company bank or exchange now triggers 8-K disclosure obligations within four business days, alongside the FinCEN and state-regulator notification requirements.
How Safeguard.sh Helps
Safeguard.sh addresses the supply chain layers Lazarus repeatedly exploits. Eagle detection inventories self-custody wallet software, front-end JavaScript dependencies, and operations-approval tooling as supply chain components, correlates them against vendor advisories and exploit-broker signals, and flags the conditions that enabled the Bybit-class UI compromise.
The zero-day pipeline watches maintainer-level compromises, package-registry advisories, and DPRK-cluster IOCs (BeaverTail, InvisibleFerret, TraderTraitor infrastructure from CISA and FBI advisories including AA24-241A), alerting when a consumed component is implicated. SBOM lineage follows dependencies through the wallet-UI stack, the smart-contract build toolchain, and the operations-platform integration, so defenders can answer "which of our signing flows depends on something a DPRK cluster touched?" with evidence.
For TPRM, Safeguard.sh monitors wallet providers, custody platforms, and infrastructure vendors as first-class suppliers, tracking their attestation posture, incident history, and signing-workflow controls. Lino compliance mapping aligns OFAC sanctions, FinCEN advisory obligations, SEC 8-K triggers, and NYDFS 23 NYCRR Part 500 requirements with the engineering evidence each regime expects. Griffin AI remediation drafts the specific workflow change, vendor engagement, or policy update required when a Lazarus-class signature appears in your environment, with an audit trail that meets regulator and investigator standards.