The Lazarus Heist

1. North Korea's Economic Collapse Drove the Regime to State-Sponsored Crime

According to many experts, North Korea has instead turned to crime, in the past experimenting with forgery, smuggling and even crystal-meth production, before finally discovering a far more reliable and lucrative form of income: computer hacking.

Desperate measures. Decades of economic mismanagement, compounded by international sanctions over its nuclear program, pushed North Korea to the brink of financial collapse, including a devastating famine in the 1990s. Unable to generate sufficient legitimate income, the regime increasingly relied on illicit activities.

Criminal evolution. North Korea's criminal enterprises evolved over time, moving from traditional methods like counterfeiting and smuggling to more modern, high-tech crimes. This shift was driven by the need for more reliable and scalable revenue streams that could circumvent sanctions and fund the state.

Cybercrime's appeal. Computer hacking offered a unique advantage: it was stateless, fast, and difficult to trace, allowing the regime to steal vast sums of money directly from foreign institutions without physical borders or traditional supply chains. This became the most lucrative criminal avenue.

2. The Kim Dynasty's Isolationist Ideology Created a Vulnerable State

According to many experts, North Korea has instead turned to crime, in the past experimenting with forgery, smuggling and even crystal-meth production, before finally discovering a far more reliable and lucrative form of income: computer hacking.

Self-reliance myth. Kim Il Sung's Juche ideology promoted self-reliance, but North Korea's mountainous terrain and lack of resources made true independence impossible, particularly in agriculture and manufacturing. This ideological rigidity prevented necessary reforms and trade.

Information control. Extreme isolation and censorship created an information bubble, preventing citizens from knowing the true state of the country or the outside world. This control, while maintaining the regime's power, also hindered technological and economic development compared to other nations.

Ratchet effects. A series of miscalculations and rigid policies, from the Korean War's unresolved status to the costly pursuit of nuclear weapons and the disastrous famine, locked North Korea into a cycle of isolation, economic hardship, and escalating conflict with the international community.

3. Early Criminality Included Counterfeiting High-Quality "Superdollars"

Experts have repeatedly stated that it was by far the finest they’d ever seen – created using exactly the right paper, the right ink, the right printing press.

Undermining the enemy. Starting in the late 1980s, North Korea allegedly began producing highly sophisticated counterfeit $100 bills, dubbed "superdollars," that were nearly indistinguishable from genuine currency. This was seen by US authorities as an attempt to destabilize the American financial system.

State-level operation. The quality of the superdollars suggested state involvement, requiring access to specialized printing presses, paper, and ink. Defectors claimed the operation was run at a government level, with dedicated facilities and skilled personnel.

Distribution network. North Korean diplomats and front companies, like Zokwang Trading in Macau, were repeatedly caught attempting to pass off the superdollars globally. This distribution network highlighted the regime's direct role in the criminal activity.

4. Cybercrime Emerged as a Key Weapon for Economic Survival

Over the last few years investigators claim that North Korea’s government hackers have become some of the most effective and dangerous on the planet.

Asymmetric advantage. Facing technologically superior adversaries, North Korea developed cyber capabilities as an asymmetric tool to level the playing field. A relatively small investment in cyber operations could yield significant impact.

Military integration. Hacking units, like the Lazarus Group, are reportedly integrated into North Korea's military structure. Talented students are identified early and trained in specialized schools to become "cyber-warriors" for the state.

Dual purpose. While some cyber activities focused on intelligence gathering or disruption (like the Dark Seoul attacks targeting South Korean infrastructure), a primary goal became generating hard currency for the cash-strapped regime through financial crime.

5. The Sony Pictures Hack Showcased Destructive Capabilities and Political Motivation

In the end, half of Sony’s global digital network would be wiped out, some of the most powerful players in Hollywood would lose their jobs, and the digital break-in would trigger an international incident.

Revenge for satire. In late 2014, Sony Pictures Entertainment was hit by a devastating cyberattack, allegedly in retaliation for producing the satirical film "The Interview," which depicted the assassination of Kim Jong Un. This demonstrated NK's willingness to use cyber means for political retribution.

Destructive tactics. The attack employed sophisticated malware that wiped data and disabled thousands of computers, going far beyond simple website defacement. It aimed to cripple the company's operations.

Data leaks. The hackers stole and leaked massive amounts of sensitive internal data, including emails, salaries, and personal information, causing immense reputational and personal damage to employees and executives. This anti-PR campaign showed an understanding of Western media.

6. The Billion-Dollar Bank Heist: Bangladesh Bank (SWIFT, Laundering)

We had never seen an attack like this, transferring so many millions of dollars.

Audacious target. In 2016, the Lazarus Group allegedly targeted Bangladesh Bank, attempting to steal nearly a billion dollars from its account at the New York Federal Reserve using fraudulent SWIFT messages. This marked a significant escalation in financial hacking ambition.

Exploiting systems. The hackers reportedly spent over a year inside the bank's network, studying its systems, including SWIFT, and planting malware to delete transaction records and disable printers, aiming to delay detection.

Timing is everything. The heist was meticulously timed to exploit international time zones and holidays (Bangladesh weekend, US weekend, Philippines holiday) to maximize the window for transferring and laundering the stolen funds before the banks could react.

7. Global Money Laundering Network Facilitated the Physical Getaway

Those who co-ordinated the crime had not only the technical skill to make ATMs around the world spew out banknotes on demand but also the global reach to mobilize a worldwide network of mules, who would now pass the stolen funds back up the chain to those who had masterminded the job.

Physical layer. Despite the digital nature of the theft, moving the stolen money required a network of human accomplices in the physical world ("meatspace"). This included:

• Money mules to withdraw cash from ATMs (as in the Cosmos Bank hack).
• Corrupt bank officials to facilitate transfers and account creation (as in the Bangladesh Bank heist in the Philippines).
• Money changers and casino operators to convert digital/banked funds into untraceable cash or chips.

Layering techniques. The money was moved through multiple layers of accounts, currencies, and assets (bank transfers, cash, casino chips) to obscure its origin. Casinos, particularly in places like Macau and Manila, were ideal due to lax regulations and high cash flow.

Criminal connections. The Lazarus Group allegedly leveraged existing connections with organized crime networks and middlemen in countries like the Philippines, Sri Lanka, and Macau to execute the complex laundering operations, paying them a cut of the stolen funds.

8. WannaCry Demonstrated Automated Global Attacks and Cryptocurrency Exploitation

It was at a phenomenal scale, like nothing I’d ever seen before.

Weaponized exploit. In May 2017, the WannaCry ransomware attack rapidly spread globally, encrypting data on hundreds of thousands of computers, including critical infrastructure like hospitals. It utilized a powerful exploit (Eternal Blue) allegedly developed by the US NSA and leaked by a hacking group.

Untargeted spread. Unlike previous attacks, WannaCry spread automatically from machine to machine without user interaction, making it incredibly disruptive and indiscriminate. This highlighted the danger of leaked state-sponsored hacking tools.

Accidental hero. A young British security researcher, Marcus Hutchins, inadvertently stopped the outbreak by registering a domain name that the malware was programmed to check before activating. This revealed the virus was likely released prematurely.

9. Mastering Cryptocurrency Heists Became a Lucrative New Strategy

The Lazarus Group was about to make another huge technological leap forward.

New frontier. Following WannaCry, the Lazarus Group allegedly shifted focus to cryptocurrency exchanges, which were often less regulated and easier targets than traditional banks. This allowed them to steal large sums directly in digital currency.

Rapid evolution. The hackers quickly adapted their tactics, using sophisticated phishing campaigns (sometimes via LinkedIn with tailored job offers) and developing malware specifically designed to steal cryptocurrency.

Digital laundering. Cryptocurrency offered a faster, more direct way to launder funds compared to traditional methods involving physical cash and middlemen. Techniques like "peel chains" and using swap services made tracing the money extremely difficult, though converting it to fiat currency still required accomplices.

10. FBI Investigations Began to Unmask Alleged Lazarus Group Hackers

It really put a face to all of the investigative work that we had been doing.

Connecting the dots. Following the Sony and Bangladesh Bank attacks, FBI investigators found overlapping digital footprints, including shared email accounts, IP addresses, and malware code, linking the two seemingly disparate incidents.

Identifying individuals. By tracing online accounts and leveraging international cooperation, the FBI allegedly identified individuals behind the attacks, including Park Jin Hyok, Kim Il (Julien Kim/Tony Walker), and Jon Chang Hyok, believed to be members of the Lazarus Group.

Public indictments. The US Department of Justice publicly indicted these individuals, releasing their photos and detailing their alleged roles in multiple global cybercrime campaigns. While unlikely to lead to arrests (as they are presumed to be in NK), the indictments aimed to expose and disrupt the group's operations.

11. The Global Criminal Underworld Provided Essential Accomplices

The shadowy, hidden realm of North Korea’s hackers is about to intersect with the flashy, champagne-fuelled world of Instagram celebrity.

Bridging the gap. Despite their technical prowess, the Lazarus Group hackers often needed help from non-technical criminals to convert stolen digital assets into usable cash and move it through the financial system.

Diverse network. This network included:

• Canadian fraudster Ghaleb Alaumary ("Big Boss") who organized ATM cash-out crews and provided bank accounts.
• Nigerian Instagram celebrity Ramon Olorunwa Abbas ("Hushpuppi") who allegedly laundered funds through his lavish lifestyle and contacts.
• Chinese individuals involved in illegal gambling and money changing in Macau and the Philippines.

Mutual benefit. These accomplices provided the necessary infrastructure and expertise in money laundering and physical logistics, while the hackers provided the stolen funds, creating a symbiotic relationship in the global criminal economy.

12. The Ongoing Threat Requires Understanding and Individual Defense

Ultimately, there is no government, police force or company that can spot and stop every attempt by the attackers.

Evolving tactics. The Lazarus Group continues to innovate, adapting to new technologies (like cryptocurrency) and security measures. Their ability to exploit vulnerabilities and leverage global criminal networks poses a persistent threat.

Law enforcement challenges. Traditional law enforcement methods are often ineffective against state-sponsored hackers operating from protected jurisdictions. Efforts focus on disrupting infrastructure and exposing identities, but arrests are rare.

Last line of defense. Given the limitations of institutional defenses, individuals are often the first and last line of defense against cyberattacks. Simple actions like recognizing phishing emails and using strong passwords can prevent initial breaches.

Knowledge is power. Understanding the tactics used by groups like Lazarus, from phishing and malware to money laundering schemes, empowers individuals to protect themselves and their organizations from becoming victims of global cybercrime.

Last updated: May 22, 2025