Paradigm: North Korea's cryptocurrency attacks are becoming increasingly sophisticated, and the number of attackers is increasing

Cyberattacks originating from the country range from social engineering intrusions to attacks on exchanges, with some operations lasting up to a year.

Crypto company Paradigm warned in its "Uncovering the North Korean Threat" report that North Korea's cyber warfare attacks on the cryptocurrency industry are on the rise in terms of sophistication and the number of organizations involved.

The report points out that cyberattacks from North Korea come in various forms, including attacks on exchanges, social engineering intrusions, phishing attacks, and complex supply chain hijackings. Some attacks last as long as a year, and North Korean agents often wait patiently for the opportunity.

The United Nations estimates that North Korean hackers earned $3 billion for the country between 2017 and 2023. The total amount of attacks has surged since 2024, with successful attacks on WazirX and Bybit exchanges earning a total of about $1.7 billion.

Paradigm points out that there are at least five North Korean organizations that orchestrated these attacks: Lazarus Group, Spinout, AppleJeus, Dangerous Password, and TraitorTrader. There is also a coalition of North Korean agents who disguise themselves as IT workers to infiltrate technology companies around the world.

High-profile attacks and predictable money laundering methods

Lazarus Group, the most well-known North Korean hacking group, is believed to be responsible for several major cyberattacks since 2016. According to Paradigm, the group hacked Sony and the Bangladesh Central Bank in 2016 and was involved in the WannaCry 2.0 ransomware attack in 2017.

The group has also targeted the cryptocurrency industry with repeated success. In 2017, the group attacked two exchanges, Youbit and Bithumb. In 2022, Lazarus Group attacked Ronin Bridge, resulting in the loss of hundreds of millions of dollars in assets. In 2025, the group stole $1.5 billion from Bybit, shocking the entire cryptocurrency community. The group may also be involved in some Solana meme coin scams.

As Chainalysis and other institutions explain, Lazarus Group's method of laundering the stolen funds is quite fixed. They will disperse the stolen funds into smaller and smaller parts and transfer them to countless other wallets. The less liquid tokens were subsequently exchanged for more liquid tokens, and most of them were converted into Bitcoin (BTC). After that, the group may have left the stolen funds idle for a while until the attention of law enforcement waned.

The Federal Bureau of Investigation (FBI) has so far identified three alleged Lazarus Group members, charging them with cybercrime. In February 2021, the U.S. Department of Justice indicted two of the members for participating in global cybercrime activities.