- Lazarus Group, part of DPRK’s RGB, orchestrates major hacks, including Sony and Bank of Bangladesh, demonstrating high technical skill.
- TraderTraitor’s WazirX and Bybit hacks show a pattern: social engineering and malicious code to seize cold wallet control.
- FBI’s dedicated unit tracks DPRK hackers; experts urge strong security measures like 2FA and password managers for protection.
The bybit hack by North Korea’s Lazarus, deemed as “the biggest hack in the history of crypto,” sparked a huge outcry as no one expected such level of technical prowess from the state-funded actors. Samczsun, a pseudonymous “crypto white hat hacker,” believes it is crucial to understand how the DPRK hackers operate, and know their tactics and procedures to mount safety guardrails.
The Lazarus group is a part of the Reconnaissance General Bureau (RGB), which belongs to the Korean People’s Army (KPA). The RGB manages all North Korean cyber warfare, including the hacks in the cryptocurrency industry.
Besides Lazarus, RGB has other threat actors like AppleJeus, APT38, DangerousPassword, and TraderTraitor. The Lazarus group first came into notoriety in 2014 after the Sony Pictures Entertainment (Sony) hack. Enraged by Sony’s film on Kim Jong Un, the group stole terabytes of data and deleted the original copies.
North Korea’s Cyber Command Structure
Then in 2016, Lazarus compromised the Bank of Bangladesh’s internal network to access the SWIFT network and initiate transfer requests to the New York Federal Reserve, looting almost 1 billion USD. In all these incidents, the hacker group has shown a high level of technical adeptness before turning their attention to the cryptocurrency industry.

During this time, the DPRK cyberactivity industry began assigning different activities to these threat actors. For instance, APT38 targeted banks first in 2016, then cryptocurrency later. Then, in 2018, AppleJeus started spreading infected malware targeting cryptocurrency users.
Since 2023, AppleJeus began mounting complex supply chain attacks and later evolved into impersonating a trusted contractor. Likewise, Dangerous Password employed social engineering-based attacks within the cryptocurrency industry. However, the most lethal among them is TraderTraitor, which exclusively preys on exchanges and other companies with big reserves (Axie Infinity and Rain.com).
TraderTraitor’s Cold Wallet Tactics
In the recent WazirX hack, this threat actor tricked engineers into signing a transaction that transferred control of their cold wallet over to them. This attack resembles the Bybit hack, where TraderTraitor first breached the Safe Wallet infrastructure via a social engineering attack before sending malicious JavaScript to the cold wallet.
When Bybit attempted to rebalancing their wallets, the malicious code was triggered, deceiving engineers to sign a transaction and hand over control of their cold wallet. Such brazen attacks have put TraderTraitor at the forefront of security agencies.
Countering the Threat
The FBI has established a separate unit to track and prevent these intrusions and has been conducting victim notifications for years now. Security experts like Samczsun, part of the SEAL 911 emergency response team, have actively worked with federal agents to identify and protect potential DPRK targets.
With looming threats, on-chain sleuths recommend using a password manager and 2FA as the first line of defense against such increasingly sophisticated attacks.