Lazarus Group is a state-sponsored advanced persistent threat (APT) actor widely attributed by the U.S. government, UK NCSC, and private cybersecurity firms (Mandiant, Kaspersky, CrowdStrike) to North Korea's Reconnaissance General Bureau, the country's primary foreign intelligence service. The group is sometimes tracked under overlapping aliases such as APT38, Hidden Cobra, and Guardians of Peace, though analysts debate whether these represent the same unit or related subgroups.
The group is associated with several landmark cyber incidents:
- The 2014 Sony Pictures Entertainment hack, which destroyed data and leaked internal communications in apparent retaliation for the film The Interview.
- The 2016 Bangladesh Bank heist, in which attackers used fraudulent SWIFT messages to attempt to steal nearly $1 billion from the bank's Federal Reserve Bank of New York account, successfully moving roughly $81 million.
- The 2017 WannaCry ransomware outbreak, which affected the UK's NHS and hundreds of thousands of systems worldwide.
- Numerous cryptocurrency exchange and DeFi bridge thefts, including the March 2022 Ronin Network breach (around $620 million), attributed by the U.S. Treasury to Lazarus.
In September 2018, the U.S. Department of Justice indicted North Korean national Park Jin Hyok for his alleged role in Sony, WannaCry, and the Bangladesh Bank operations. The U.S. Treasury's OFAC designated Lazarus, Bluenoroff, and Andariel under sanctions authorities in 2019.
For IR and policy researchers, Lazarus is significant for three reasons. First, its operations blur the line between espionage, sabotage, and revenue generation — the group reportedly helps Pyongyang evade UN Security Council sanctions by stealing hard currency and cryptocurrency. Second, it illustrates the attribution challenge in cyberspace and the limits of deterrence against sanctioned regimes. Third, UN Panel of Experts reports on DPRK sanctions have repeatedly cited Lazarus-linked thefts as a major source of funding for North Korea's WMD programs.
Example
In March 2022, the U.S. Treasury attributed the roughly $620 million theft from Axie Infinity's Ronin Network bridge to the Lazarus Group, citing it as a major sanctions-evasion funding source for North Korea.
Frequently asked questions
Western governments and major cybersecurity firms attribute it to North Korea's Reconnaissance General Bureau (RGB), the country's main foreign intelligence service. Pyongyang denies involvement.
Keep learning