The term "Lazarus cryptocurrency" points in two very different directions: a notorious North Korean hacking syndicate that has stolen over $7 billion in digital assets, and a handful of obscure crypto projects that share the name. This guide helps you understand both—and the risks each presents.
When you encounter the term "Lazarus cryptocurrency," it is essential to understand which meaning is being referenced. The name is used in two entirely separate contexts:
A North Korean state-sponsored hacking syndicate responsible for the largest cryptocurrency heists in history. Since 2017, the group has stolen over $7 billion in crypto assets. In 2026 alone, North Korea has been linked to over 70% of all cryptocurrency exploits[reference:1]. This is the most significant "Lazarus" in the crypto space.
Several small cryptocurrency projects use the Lazarus name—including Lazarus (LZS), Lazaruscoin, and Lazarus Group Governance Token. These are typically low-cap, highly speculative tokens with little to no liquidity[reference:2][reference:3]. Some are legitimate experiments; others may be memes or scams.
The vast majority of references to "Lazarus" in crypto news relate to the hacking group. However, if you are considering buying a token with the Lazarus name, you are dealing with a completely different (and much riskier) proposition.
The Lazarus Group is not a cryptocurrency project—it is a cybercriminal enterprise. Investing in a token named "Lazarus" does not give you exposure to the hacking group's activities; it exposes you to the risks of an unproven, illiquid asset.
The Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor that has been active since at least 2009[reference:4]. It operates under North Korea's Reconnaissance General Bureau (RGB), the country's primary intelligence agency[reference:5].
The group first gained notoriety through high-profile attacks such as the 2014 Sony Pictures hack (in retaliation for the film The Interview) and the 2017 WannaCry ransomware attack, which affected over 300,000 computers and caused losses of up to $4 billion[reference:6]. The group also targeted banks globally, including the $81 million heist from the Bangladesh Bank in 2016[reference:7].
Around 2017, Lazarus shifted its focus to the cryptocurrency industry, which it found to be more lucrative and easier to exploit[reference:8]. Since then, the group has been responsible for a series of increasingly sophisticated and large-scale crypto heists.
The Lazarus Group's primary objective is to generate revenue to fund North Korea's nuclear weapons program and evade international sanctions[reference:9][reference:10]. The stolen funds are laundered through a complex network of mixers (like Tornado Cash), cross-chain bridges (like THORChain), Russian crypto exchanges, and Chinese over-the-counter (OTC) desks[reference:11].
In 2026, Lazarus has integrated generative AI tools into its operations. The group has been documented using ChatGPT and Cursor to write malware code, build fake company websites, and create fictional leadership teams for fraudulent recruitment fronts[reference:13]. In the first three months of 2026 alone, one subgroup exfiltrated 26,584 cryptocurrency wallets from 2,726 infected developer systems[reference:14].
The group also employs AI-generated profiles on professional networking platforms like LinkedIn, with fake recruiters sending personalised job offers containing malicious attachments[reference:15]. This social engineering approach has proven highly effective in gaining initial access to corporate networks.
The Lazarus Group's stolen crypto holdings are so large that they rival the Bitcoin reserves of entire nations. As of 2025, the group held 13,518 BTC (valued at $1.13 billion), surpassing the Bitcoin holdings of Bhutan, El Salvador, and Finland[reference:16].
The Lazarus Group has executed some of the largest cryptocurrency thefts in history. Here are the most significant operations.
This is the largest cryptocurrency heist ever recorded. Lazarus stole approximately $1.46–$1.5 billion in Ethereum from the Dubai-based exchange Bybit by compromising Safe{Wallet}, a widely used multi-signature wallet platform[reference:17]. The hackers manipulated the transaction approval process so that Bybit signers unknowingly authorised a malicious transfer[reference:19]. The FBI officially attributed the attack to Lazarus on February 26, 2025[reference:20]. Laundering began within hours: stolen ETH was converted to Bitcoin and other assets via THORChain and dispersed across thousands of addresses[reference:21].
Attributed to TraderTraitor (a Lazarus sub-unit), this heist targeted the DeFi platform KelpDAO, stealing approximately $300 million in what was the biggest crypto exploit of 2026 at the time[reference:22][reference:23]. The attackers manipulated a cross-chain bridge[reference:24].
Also in April 2026, the Drift Protocol was hacked for $280 million, with the attack linked to North Korean state-affiliated actors. Investigators revealed that North Korean IT workers had been embedded inside DeFi protocols since at least 2020, contributing to the codebases of more than 40 platforms. In many cases, these insiders mapped infrastructure, identified vulnerabilities over months or years, and then executed precisely timed attacks.
Blockchain analytics firms have been able to track the Lazarus Group's on-chain activity, revealing the scale and methods of its operations.
Since 2017, the Lazarus Group has successfully stolen over $6 billion in cryptocurrency assets[reference:32]. Other estimates place the figure at approximately $7 billion. The group's largest single theft was the $1.5 billion Bybit hack in 2025. In 2024 alone, the group stole $1.3 billion in cryptocurrencies; by mid-2025, it had already stolen over $2 billion.
As of 2025, the group held 13,518 BTC, valued at $1.13 billion, making it one of the largest Bitcoin holders globally[reference:36]. The group's wallets also contain Ethereum, Binance Coin, DAI, and various other cryptocurrencies[reference:37].
Lazarus employs a layered laundering operation that includes:
If you want to investigate Lazarus-related addresses yourself, you can use blockchain explorers like Etherscan, BSCScan, or Arkham Intelligence. Arkham maintains a public entity page for the Lazarus Group[reference:42]. However, tracking Lazarus requires significant expertise in blockchain forensics—the group uses thousands of addresses and sophisticated obfuscation techniques.
On-chain data is publicly available but requires careful interpretation. Not every address associated with Lazarus is clearly labelled, and the group frequently moves funds to new addresses. Always cross-reference multiple sources.
Several cryptocurrency projects have adopted the Lazarus name. These are entirely separate from the hacking group and should be evaluated on their own merits—which, in most cases, are limited.
One notable exception is the Lazarus Protocol, a project built at ETHGlobal's HackMoney 2026[reference:49]. It is a decentralized "Dead Man's Switch" designed to solve the problem of lost crypto assets due to inactivity or lost keys[reference:50]. Users set a beneficiary and a timeout period, and if they fail to check in, the protocol automatically liquidates their defined tokens and transfers them to the beneficiary[reference:51]. This is a legitimate, functional project—but it is not a token you can trade; it is a protocol.
If you are considering any "Lazarus" token, apply the same due diligence you would to any low-cap cryptocurrency:
| Feature | Lazarus Group (Hacking Syndicate) | "Lazarus" Crypto Tokens |
|---|---|---|
| Nature | North Korean state-sponsored cybercriminal enterprise | Small-cap cryptocurrency projects (tokens) |
| Purpose | Funding North Korea's nuclear weapons program and evading sanctions[reference:52] | Varies—some claim cybersecurity, others are speculative or memetic |
| Scale | $7+ billion stolen since 2017 | Market caps typically under $1 million; often extremely illiquid |
| Regulatory Status | Sanctioned by the US government (OFAC) | Generally unregulated, but some may be considered securities |
| Risk Level | Extreme—interacting with Lazarus addresses may violate sanctions | Very High—scams, rug pulls, and extreme volatility are common |
| Investment Viability | Not an investment—it is a criminal enterprise | Highly speculative; most lack fundamentals or liquidity |
| Public Data | On-chain addresses tracked by analytics firms like Arkham[reference:55] | Price and supply data available on aggregators like CoinGecko |
This comparison highlights that the Lazarus Group is a serious geopolitical and cybersecurity threat, while Lazarus-named tokens are speculative, high-risk assets that share only a name with the hacking syndicate.
Whether you are concerned about the Lazarus Group's hacking activities or considering a Lazarus-named token, this checklist will help you stay safe.
You receive a LinkedIn message from a recruiter offering a high-paying remote crypto job. The recruiter asks you to download a "test" application. This is a common Lazarus Group tactic[reference:57]. Instead of engaging, you verify the company's website, find it is fake, and report the profile. You have avoided a potential compromise of your systems and wallet.
The Lazarus Group is a sanctioned entity. The US Treasury's Office of Foreign Assets Control (OFAC) has designated the group. Interacting with known Lazarus addresses may expose you to legal and regulatory risks.
Lazarus-named tokens are extremely high-risk. Most have low liquidity, no audits, and anonymous teams. They are susceptible to rug pulls, pump-and-dump schemes, and complete loss of value.
The Lazarus Group's tactics are evolving. The group now uses AI-generated content, deepfakes, and sophisticated social engineering to compromise targets[reference:59][reference:60]. No one is immune—vigilance is essential.
This guide is for educational and informational purposes only. It does not constitute financial, legal, or tax advice. You are solely responsible for your own decisions. If you need personalised advice, consult qualified professionals.
Prices, fees, rules, and platform availability change constantly. Always verify current data directly from exchanges, block explorers, and official sources before taking any action.
The Lazarus Group is a North Korean state-sponsored hacking syndicate that has stolen over $7 billion in cryptocurrency since 2017. It is responsible for the largest crypto heists in history, including the $1.5 billion Bybit hack[reference:62].
There are several low-cap tokens with the Lazarus name (e.g., Lazarus, Lazaruscoin, Lazarus Group). These are not the hacking group—they are separate, highly speculative projects. Most have very low liquidity and high risk[reference:63][reference:64].
As of 2025, the Lazarus Group held 13,518 BTC, valued at approximately $1.13 billion. This is more than the Bitcoin reserves of Bhutan, El Salvador, and Finland[reference:65].
The $1.5 billion Bybit hack in February 2025 was the largest cryptocurrency theft ever recorded[reference:66]. The group compromised Safe{Wallet} and manipulated transaction approvals to steal over 400,000 ETH[reference:67].
The group uses a layered approach involving mixers (like Tornado Cash), cross-chain bridges (like THORChain), Russian crypto exchanges, and Chinese OTC desks[reference:68].
No. The Lazarus Protocol is a legitimate "Dead Man's Switch" project built at ETHGlobal's HackMoney 2026[reference:70]. It is a functional protocol for digital inheritance, not a token or a hacking group.
The Lazarus Group is sanctioned by the US government. Transacting with known Lazarus addresses may violate sanctions laws. Always use blockchain analytics tools to check addresses before interacting.
Use hardware wallets, enable 2FA, be extremely cautious with unsolicited messages and job offers, and verify the authenticity of any recruitment or investment opportunity. The group's primary vector is social engineering, not technical exploits[reference:72].