⚠️ In 2024, North Korean state-sponsored hacking group APT38—also known as the Lazarus Group—stole $1.34 billion in cryptocurrency across 47 separate incidents, accounting for 61% of all crypto stolen globally that year[reference:0][reference:1]. This guide breaks down the Chainalysis report findings, the group's attack methods, laundering techniques, and what it means for the broader crypto ecosystem.
📅 Updated: July 16, 2026 • ⏱ 12 min read
APT38—also known as the Lazarus Group, TraderTraitor, or Hidden Cobra—is a North Korean state-sponsored advanced persistent threat (APT) group attributed to the country's Reconnaissance General Bureau (RGB), the regime's military intelligence arm[reference:2][reference:3]. The group has been active since at least 2009 and has evolved from traditional financial crimes—such as the 2016 $81 million Bangladesh Bank SWIFT heist—to become the most prolific cryptocurrency hacking operation in the world[reference:4].
The Lazarus Group operates through two primary sub-groups[reference:5][reference:6]:
APT38's activities are financially motivated, with the primary goal of generating revenue to circumvent international sanctions and fund North Korea's weapons of mass destruction and ballistic missile programs[reference:7][reference:8]. The United Nations Security Council has estimated that North Korean hackers stole approximately $3 billion in cryptocurrency assets between 2017 and 2023[reference:9].
Chainalysis, a leading blockchain analytics firm, released its 2025 Crypto Crime Report in late 2024, revealing alarming trends in cryptocurrency theft[reference:10]. The report's findings on North Korean hacking activity are particularly striking.
In 2024, cryptocurrency platforms suffered $2.2 billion in losses from hacks and cyberattacks—a 21% increase compared to 2023[reference:11]. The number of incidents rose from 282 in 2023 to 303 in 2024[reference:12]. Crypto platforms reached $1.5 billion in losses between January and July alone, setting the industry on pace for $3 billion in thefts for the year[reference:13].
North Korean-linked hacking groups—primarily APT38/Lazarus Group—were responsible for:
Chainalysis noted several concerning trends[reference:20]:
APT38's 2024 campaign included several high-profile attacks that made global headlines. Below are the most significant incidents.
On May 31, 2024, Japanese cryptocurrency exchange DMM Bitcoin announced that hackers had stolen 4,502.9 Bitcoin (approximately $308 million) from its wallets[reference:23]. The FBI, DoD Cyber Crime Center, and Japan's National Police Agency attributed the theft to North Korean actors tied to TraderTraitor (APT38/Lazarus Group)[reference:24].
The attack unfolded through a sophisticated social engineering campaign[reference:25]:
The heist was so damaging that DMM Bitcoin shut down operations two weeks later, selling all crypto assets to Japanese financial services giant SBI Group[reference:26].
In July 2024, Indian cryptocurrency exchange WazirX suffered a breach resulting in the loss of approximately $235 million in crypto assets[reference:27][reference:28]. The attack affected over 200 different cryptocurrency assets, including significant losses of Shiba Inu ($96.7 million), Ether ($52.6 million), Matic ($11 million), and Pepe ($7.6 million)[reference:29].
Cybersecurity firm CYFIRMA identified the Lazarus Group (APT38) as the mastermind behind the breach[reference:30]. The attackers began laundering the stolen tokens by swapping them for Ether through various decentralized services[reference:31].
Additional APT38 attacks in 2024 included:
APT38 employs a sophisticated and evolving arsenal of attack techniques. Chainalysis and other cybersecurity firms have documented the group's primary methods.
APT38's social engineering operations are among the most advanced in the world[reference:35]. Common tactics include:
APT38's malware ecosystem has evolved for cross-platform compatibility (Windows, macOS, Linux), emphasizing credential theft and wallet key extraction[reference:39]. Key malware families include[reference:40]:
According to Chainalysis, private key breaches were the most commonly used attack method in 2024, accounting for 44% of the damages[reference:42]. This highlights the critical importance of secure key management for crypto platforms.
APT38 has also employed UI spoofing techniques—tricking users into approving malicious transactions by mimicking legitimate interfaces. This method was notably used in the $1.4 billion Bybit heist in February 2025[reference:43].
Once APT38 steals cryptocurrency, the group employs a sophisticated laundering process to convert the stolen assets into usable funds while evading detection[reference:44].
APT38's typical laundering workflow involves multiple steps:
Chainalysis has tracked the laundering of stolen funds across multiple platforms. For example, the DMM Bitcoin stolen funds were laundered through several different platforms and eventually cashed out on Huione Guarantee[reference:49]. In total, Chainalysis estimates that $100 billion in cryptocurrency has been laundered since 2019[reference:50].
The APT38 heists of 2024 have far-reaching implications for the cryptocurrency industry.
The $1.34 billion stolen by APT38 in 2024 represents real losses for exchanges, their customers, and the broader crypto economy. Some platforms—like DMM Bitcoin—were forced to shut down entirely as a result[reference:51].
High-profile heists erode public trust in cryptocurrency. Each major attack reinforces the perception that crypto is insecure and risky, which can deter institutional adoption and mainstream usage.
The scale of North Korean crypto theft has drawn increased attention from regulators worldwide. The U.S. Treasury Department has sanctioned wallets linked to the Lazarus Group and APT38, and law enforcement agencies have taken legal steps to seize stolen crypto[reference:52][reference:53].
Because APT38 is a state-sponsored entity, its crypto heists are not just cybercrime—they are national security threats. The stolen funds directly support North Korea's weapons programs, including ballistic missiles and weapons of mass destruction[reference:54][reference:55].
Chainalysis and cybersecurity experts have recommended several measures for crypto platforms to defend against APT38 and similar threats[reference:56].
The table below shows the escalating scale of APT38's cryptocurrency theft operations over recent years.
| Year | Total Stolen (USD) | Number of Incidents | Year-over-Year Change | Notable Attacks |
|---|---|---|---|---|
| 2022 | $1.1 billion | ~15 | — | Ronin Bridge ($620M), Harmony Horizon ($100M)[reference:57] |
| 2023 | $660.5 million | 20 | -40% | Multiple smaller attacks[reference:58] |
| 2024 | $1.34 billion | 47 | +102.88% | DMM Bitcoin ($308M), WazirX ($235M)[reference:59] |
| 2025 (H1) | ~$1.5 billion+ | — | — | Bybit ($1.4B)[reference:60] |
Data sourced from Chainalysis reports and cybersecurity analyses. 2025 figures are preliminary and subject to revision.
Platform: Crypto exchange "NovaX" with $500 million in daily trading volume and 2 million active users.
Attack: In March 2024, an APT38 operative posing as a recruiter on LinkedIn contacts a NovaX backend developer. The developer is sent a "coding challenge" that contains the BeaverTail malware. The malware compromises the developer's workstation and steals credentials for NovaX's hot wallet management system.
Exploitation: Two weeks later, APT38 uses the stolen credentials to access NovaX's hot wallet and initiate a transfer of $80 million in Ether to wallets they control. The transfer is executed during off-hours to avoid immediate detection.
Response: NovaX's monitoring system flags the unusual transfer within 15 minutes. The platform freezes remaining assets, notifies law enforcement, and engages Chainalysis to track the stolen funds. However, APT38 has already begun laundering the funds through THORChain and Sinbad.
Outcome: NovaX recovers $20 million through law enforcement action, but $60 million is permanently lost. The platform's reputation suffers, and users withdraw funds in panic. NovaX implements new security measures, including mandatory hardware security modules for all wallet operations and enhanced employee security training.
This example is for educational purposes only and does not represent any specific real-world incident. It illustrates the typical attack pattern used by APT38.
The APT38 cryptocurrency heists of 2024 demonstrate that the crypto ecosystem faces an ongoing, state-sponsored threat. The $1.34 billion stolen in 2024 represents real losses for platforms, investors, and the broader industry.
Key risks highlighted by the Chainalysis report include:
This article does not provide personalized financial, legal, or security advice. Crypto platforms and individual users should consult with qualified cybersecurity professionals, legal counsel, and financial advisors to assess their specific risk exposure and implement appropriate safeguards.
Always verify current threat intelligence by referring to official sources such as Chainalysis reports, FBI alerts, and cybersecurity firm publications.
APT38 is a sub-group of the Lazarus Group, a North Korean state-sponsored hacking organization. APT38 specializes in financial crimes, particularly targeting cryptocurrency exchanges and financial institutions with sophisticated malware and social engineering campaigns[reference:61].
According to Chainalysis, APT38 (North Korean-linked hackers) stole approximately $1.34 billion across 47 cryptocurrency hacking incidents in 2024. This represented 61% of all crypto stolen globally that year[reference:62].
The largest APT38 attacks in 2024 included the $308 million theft from DMM Bitcoin in May and the $235 million breach of Indian exchange WazirX in July[reference:63]. These two incidents alone accounted for over $540 million in losses.
APT38 uses sophisticated laundering techniques including crypto mixers (like Sinbad and Tornado Cash), cross-chain bridges (such as THORChain), decentralized exchanges, and OTC trading platforms[reference:64]. They often convert Bitcoin to Ethereum or stablecoins before cashing out through weakly regulated jurisdictions[reference:65].
APT38 employs social engineering (posing as recruiters on LinkedIn), malware deployment (including BeaverTail and OtterCookie), UI spoofing, and private key breaches[reference:66]. Private key compromises accounted for 44% of damages in 2024[reference:67].
North Korea uses cryptocurrency theft to circumvent international sanctions and generate revenue for its weapons of mass destruction and ballistic missile programs[reference:68][reference:69]. The crypto ecosystem offers high liquidity and anonymity, making it attractive for state-sponsored cybercrime.
Chainalysis recommends stricter private key management, enhanced monitoring of system vulnerabilities, multi-factor authentication for critical operations, employee security training against social engineering, and real-time transaction monitoring for suspicious activity[reference:70].
Yes. Chainalysis noted that attacks between $50-100 million and those above $100 million occurred far more frequently in 2024 than in 2023, suggesting that North Korean hackers are getting better and faster at large-scale exploits[reference:71]. The trend continued into 2025 with the $1.5 billion Bybit heist[reference:72].