North Korea Stole $7.5 Billion From Crypto. Here's Their Playbook.

It is 2:16 AM in Dubai. A Bybit signer stares at his laptop.

The screen shows a routine transfer. Cold wallet to warm wallet. He has signed dozens of these before. He checks the UI. Everything looks normal. He clicks approve.

Somewhere outside Pyongyang, a room full of people erupts in celebration. They just pulled off the largest financial theft in human history.

$1.5 billion. Gone in a single block confirmation.

And here's the thing most founders still haven't fully reckoned with it wasn't an anomaly. It was the climax of a decade-long playbook. A playbook so polished that, by 2025, a single nation-state was responsible for 59% of all crypto theft on the planet and in April 2026 alone, they struck twice in 17 days for a combined $575 million.

We are not dealing with a cybercrime group. We are dealing with a sovereign nation-state that has decided hacking crypto is a legitimate branch of its economy.

— Ari Redbord, Head of Policy, TRM Labs

The Numbers That Should Keep You Awake

Before we go into how, let's sit with how much.

Lifetime cumulative total (as of April 18, 2026): $7.5B+ (includes Drift $285M + KelpDAO $290M, both April 2026)

The United Nations estimates that crypto theft now represents roughly 13% of North Korea's entire GDP. This isn't a side hustle or a rogue operation. It is, by any reasonable definition, a branch of the North Korean state economy and it funds ballistic missiles, centrifuges, and nuclear research directly.

The WSJ found that DPRK hacks fund approximately 50% of North Korea's ballistic missile program.

Every protocol that gets drained isn't just losing TVL. It's contributing to a warhead.

The Complete Hit List: Every Major Lazarus Hack on Record

Confirmed or high-confidence attribution by FBI, Chainalysis, TRM Labs, Elliptic, or UN Sanctions Panel.

Several smaller exchange hacks from 2018–2020 remain attributed with medium confidence only. The Nomad Bridge hack included significant copycat draining alongside Lazarus-attributed activity. KelpDAO attribution is preliminary as of publication, LayerZero Labs has confirmed likely attributable to the Lazarus Group, more specifically TraderTraitor.

The Graveyard: Protocols That Never Recovered

Some protocols got hit and lived. Others didn't. This is the table that should matter most to founders not because of the money, but because of the pattern.

Near-fatal but survived:

• WazirX (2024): India's largest exchange had operations frozen for months. As of early 2026, tens of thousands of users are still navigating a restructuring process to recover funds.
• Axie Infinity / Sky Mavis (2022): The Ronin hack didn't kill Sky Mavis, but it ended the mainstream chapter of Axie's growth trajectory. DAU numbers never recovered. The play-to-earn thesis effectively died here.

Origin Story: Before Crypto, There Was Bangladesh

To understand Lazarus Group, you have to understand where they came from.

They are attached to North Korea's Reconnaissance General Bureau (RGB) the country's primary foreign intelligence apparatus and have been active since at least 2009. Internally, defectors refer to the unit as the 414 Liaison Office. They operate under aliases you may have seen in FBI alerts: APT38, Hidden Cobra, Labyrinth Chollima, Diamond Sleet, TraderTraitor.

Their earliest major financial operation wasn't crypto at all. In 2016, they issued 35 fraudulent SWIFT instructions from the Federal Reserve Bank of New York, attempting to drain $1 billion from Bangladesh Bank's account. A single typo the word fandation instead of foundation flagged one transfer and saved most of the money. But $81 million still vanished into casinos in the Philippines.

The lesson Lazarus learned: traditional finance had chokepoints. Correspondent banks, SWIFT monitors, compliance officers, frozen accounts. Crypto had none of these.

Crypto transactions are irreversible. There are no correspondent banks to freeze funds. The infrastructure is global, permissionless, and often operated by small teams with startup-grade security postures.

For a regime locked out of SWIFT, banned from dollar clearing, and sanctioned from buying almost anything abroad crypto wasn't just a target. It was a lifeline.

The regime responded by treating hacking as a state industry. Recruits come from elite math programs and military academies. They train in Shenyang and Vladivostok. They work shift rotations. They have quotas. By 2022, Lazarus was less a hacking group and more a vertically integrated financial crime apparatus recruiting, targeting, executing, laundering, and exfiltrating on an industrial scale.

The Five Phases of the Playbook

Phase 1: The Hunt Begins on LinkedIn

Here is what almost everyone gets wrong about Lazarus: they rarely start with a smart contract bug. They start with a human.

The fake recruiter profile is their most refined weapon. LLM-generated work histories. Endorsements from other fabricated accounts. Staged video calls now sometimes using AI-generated faces and voice cloning to defeat liveness checks. One candidate reportedly went through six interview rounds before the malware arrived on round seven.

The bait is always the same: a job offer, a collaboration proposal, or a research opportunity.

In March 2022, a senior engineer at Sky Mavis received a LinkedIn message. The pay was generous. The interviews were thorough. Then came the offer letter a PDF, on his work laptop. That click cost the Ronin Network $625 million.

The GitHub repos used in these operations carry innocuous names: Du-store , BbaudConferenceDV, Store-V. They contain real code. Buried inside is a malicious npm dependency or a VS Code extension hook that executes the moment the victim runs npm install or opens a debug session.

By 2025, the playbook evolved. At the executive level, Lazarus began posing as venture capital firms. Fake partners. Fake pitch meetings. Fake due-diligence questionnaires specifically designed to extract: How is your treasury custodied?

Then, in early 2026, they evolved again.

The Drift Protocol Attack (April 1, 2026) marked the most audacious escalation yet. Lazarus operatives, using non-Korean intermediaries to conduct in-person meetings approached Drift contributors at major industry conferences starting in fall 2025. They posed as a quantitative trading firm. They attended multiple conferences across multiple countries over six months. They were technically fluent, had verifiable professional backgrounds, and deposited over $1 million of real capital into Drift's ecosystem to build credibility.

Then they drained $285 million in 12 minutes.

The operation required zero smart contract exploit. It required six months of relationship building, a fake token with manufactured price history, and pre-signed administrative transactions embedded using Solana's durable nonce feature.

The individuals who appeared in person were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.

— Drift Protocol Post-Mortem, April 2026

The implication is chilling, you can no longer assume the person you met at DevConnect or Token2049 is who they say they are.

Phase 2: The Trojan Horse at Your Standup

LinkedIn is the front door. But there's a second door, and it's even harder to defend.

North Korea has been placing its own operatives, under fabricated Western identities, into jobs at crypto companies. Researchers call this program Wagemole.

The setup is audacious. Operatives are trained in coding, given American or European names and stolen identities, and assigned laptop farms in the US where paid local residents host the machines. A company in San Francisco thinks it hired a developer in Austin. That developer is routing his traffic through a laptop in someone's garage in New Jersey.

Tayvano, the MetaMask researcher running the most comprehensive public record of Lazarus activity, estimates that over 40 DeFi protocols going back to DeFi Summer 2020 have employed DPRK operatives without knowing it.

The most alarming public case: KnowBe4 a company that trains organizations to defend against social engineering hired a North Korean operative posing as a US software engineer. On day one, before he'd even responded to his welcome Slack messages, he was caught planting malware on his company-issued laptop.

These operatives don't smash-and-grab. They are sleepers.

They ship real code. They attend standups. They earn promotions. The regime reportedly takes 70–90% of their salary as state income generating hundreds of millions per year on its own, completely independent of any hack. But the salary is secondary. The real prize is access.

When the command comes from Pyongyang, the operative may already hold:

• Production AWS credentials
• Commit access to a smart contract repository
• A signer seat on a multi-sig controlling treasury

Traditional security assumes the attacker is outside the perimeter. Wagemole makes them a full-time employee with a badge, a Slack handle, and a LinkedIn endorsement from your CTO.

Phase 3: The Strike

Now we return to Bybit.

Bybit used Safe{Wallet} the gold standard of multi-sig solutions in DeFi. The smart contracts were battle-tested, deployed across thousands of protocols. The signers were trained. The process was documented.

None of that mattered.

Weeks before the February 2025 heist, a Safe developer was social-engineered. A malicious coding assignment landed on his personal workstation. That workstation had an authenticated AWS session token for Safe's infrastructure one that bypassed MFA because it was already active.

Lazarus stepped quietly into Safe's backend and deployed a narrowly targeted code change to the Safe UI: a filter that activated only when Bybit's specific wallet addresses were in view. For every other Safe user on Earth, nothing looked different.

For Bybit's signers, the interface showed a routine cold-to-warm wallet transfer.

The actual bytes being signed: a delegatecall to a malicious implementation contract that rewrote the multi-sig's ownership logic handing Lazarus unrestricted control over the entire wallet.

The signers approved. The transaction confirmed. The malicious code self-deleted within two minutes. 401,347 ETH ($1.5 billion) was gone.

The signers may have believed they were signing a legitimate operation while unknowingly authorizing the drain.

— Charles Guillemet, CTO of Ledger

No smart contract exploit. No private key theft in the traditional sense. The Safe contracts executed exactly what they were told. The lie lived entirely in the frontend, for approximately two minutes.

This is why 76% of all service-level crypto compromises in 2025 were attributed to North Korea. They stopped attacking code. They moved upstream to the humans and the tooling.

Phase 4: The Vanishing Act

Stealing $1.5 billion is the hard part. But keeping it is harder.

Within minutes of the Bybit transaction confirming, Chainalysis and TRM Labs were tracking the flow. The FBI attributed the attack publicly within 48 hours. Exchanges worldwide began blacklisting addresses.

Lazarus had minutes not days before the entire industry was hunting the funds.

This is where the true scale of the apparatus becomes visible. What Lazarus has constructed is a global money-laundering pipeline that operates on a roughly 45-day cycle:

Wave 1 (Days 0–5): Layering. Funds are fragmented into transactions under $500,000 a statistical fingerprint that differentiates DPRK flows from other cybercriminals who move in larger chunks. They flow through DeFi pools, mixers, and privacy protocols. After Tornado Cash and Sinbad were sanctioned, flows shifted to Railgun and a rotating cast of short-lived privacy tools. In Bybit's case, 86% of stolen ETH was converted to Bitcoin within one month, scattered across 12,000+ addresses.

Wave 2 (Days 6–10): Cross-chain movement. ETH swaps to BTC for UTXO opacity. Funds bridge to Tron, where USDT offers the deepest global liquidity. Cross-chain bridges obscure origin.

Wave 3 (Days 20–45): Off-ramp. This is where laundering goes invisible to on-chain analysts. Flows route through Chinese-language OTC brokers in Shenzhen, Macau, and Hong Kong. The marketplace of choice: Cambodia's Huione Group, which the US Treasury's FinCEN designated a primary money laundering concern in May 2025 after determining it processed at least $4 billion in illicit crypto since 2021 (Elliptic puts the real figure closer to $11 billion). Huione even launched its own stablecoin USDH explicitly marketed as unfreezable.

By day 45, the money that started as ETH is fiat cash in Pyongyang, allocated to weapons programs.

The UN, FBI, and US Treasury have independently confirmed: the proceeds of these hacks directly fund North Korea's nuclear and ballistic missile programs.

Phase 5: The Newest Weapon RPC Infrastructure Poisoning

Seventeen days after draining Drift, Lazarus struck again.

On April 18, 2026, KelpDAO's rsETH was exploited for approximately $290 million the second nine-figure theft in under three weeks, both attributed to the same TraderTraitor sub-unit of Lazarus Group.

The attack vector was something the industry had not seen at this scale before: targeted RPC infrastructure poisoning combined with DDoS-forced failover.

Here is precisely what happened, from LayerZero's post-mortem:

KelpDAO's rsETH used a 1-of-1 DVN configuration on LayerZero meaning a single Decentralized Verifier Network (LayerZero Labs' own DVN) was the sole verifier of all cross-chain messages. LayerZero had explicitly recommended multi-DVN setups and communicated best practices to KelpDAO. KelpDAO chose to remain on a single-point-of-failure setup.

That single DVN relied on a pool of RPC nodes to verify transaction legitimacy. Lazarus:

1. Identified the list of RPC nodes used by LayerZero Labs' DVN
2. Compromised two independent RPC nodes running on separate clusters swapping out the legitimate op-geth binaries for malicious ones
3. Built a custom stealth payload: the malicious nodes showed forged data only to the DVN's IP addresses, while reporting truthful data to all other requesters including LayerZero's own monitoring and scan services. Security tooling saw nothing.
4. The payload was designed to self-destruct: once the attack completed, the malicious binary deleted itself along with local logs and configs, leaving no trace
5. The poisoned nodes alone were insufficient LayerZero's DVN also used uncompromised external RPCs for redundancy. So Lazarus DDoS-attacked the uncompromised nodes, forcing the DVN's failover logic to route all verification through the poisoned infrastructure
6. With the failover complete, the malicious nodes confirmed cross-chain messages that never actually took place, allowing Lazarus to forge a message minting rsETH against non-existent deposits

The net result: the LayerZero protocol itself was never exploited. The DVN smart contracts were never exploited. The private keys were never compromised. The attack lived entirely in the off-chain verification layer the infrastructure that the protocol trusted to tell it the truth about what was happening on-chain.

This is a category-expanding development. Every bridge, every oracle, every cross-chain protocol, and every DeFi integration that relies on off-chain RPC infrastructure to verify on-chain state is now operating in a world where that infrastructure itself can be precision-targeted, poisoned, and made to silently lie while appearing completely normal to all external observers.

What makes this different from previous attacks:

The KelpDAO hack is also the clearest illustration yet of how configuration security not code security determines survival. The LayerZero protocol performed exactly as designed. The DVN performed as designed. No smart contract had a bug. KelpDAO was drained because they maintained a single verifier, ignored best-practice recommendations, and gave Lazarus exactly the single point of failure they needed.

Zero contagion reached any other LayerZero application. Every protocol with a multi-DVN setup was untouched. The modular architecture did its job but only for the protocols that used it correctly.

The lesson is not that LayerZero failed. The lesson is that the attack surface has expanded one more layer deeper and the next version of this attack may target a multi-DVN setup by compromising nodes across multiple providers simultaneously.

The Structural Asymmetry Nobody Wants to Name

Here is the part most blog posts skip.

This is not a fair fight. But it can be made fairer.

The crypto industry has spent hundreds of millions of dollars on smart contract audits, formal verification, fuzzing, and invariant testing. These are the things Lazarus barely attacks.

Far less investment has gone into operational security, contributor vetting, device hygiene, hardware-isolated signing, supply chain audits, and timelocked governance. These are the things Lazarus always exploits.

The mismatch is the vulnerability.

Red Flags in the Wild: What to Watch For

Lazarus has developed recognizable signatures across every phase. If your team encounters any of these patterns, treat them as active threat indicators not coincidences.

On LinkedIn / Telegram / Discord:

• Recruiter with perfect English, flawless work history, no mutual connections, posting only in the last 6–12 months
• VC partner who schedules a call but insists on using their custom Zoom/Meet link
• Collaborator who asks: How is your treasury custodied? or Who are the signers on your multi-sig?
• GitHub repo with a clean README, real-looking code, and a npm install step that installs a dependency you've never heard of
• Job offer as a PDF attached to an email from a domain registered last month

In hiring:

• Candidate perfectly matches the JD but declines video (or uses static/low-resolution video)
• Developer who passes all technical rounds but requests remote-only, no in-person onboarding
• Employee who asks for keys/access far beyond their job scope within the first 60 days
• Contributor who pushes unusually clean commits but never asks questions or joins voice calls

In operations:

• Multi-sig transaction that your UI displays one way, but the raw calldata says something different
• npm or pip package that was recently renamed or transferred to a new owner
• RPC endpoint behavior that subtly differs from a direct node query
• Your DVN or bridge verifier is running a 1-of-1 configuration single verifier, no redundancy
• Unexpected DDoS activity on your RPC nodes or external infrastructure this may be a failover-forcing precursor to an RPC poisoning attack
• Cross-chain messages confirmed by a single off-chain verifier with no independent corroboration
• Frontend hash that doesn't match your deployment manifest

At conferences:

• New contact who approaches multiple engineers separately, asking deep architecture questions
• Trading firm that expresses interest in onboarding a vault and wants to meet all the key people
• Someone who is unusually knowledgeable about your internal codebase before any formal engagement

Any single signal isn't necessarily a threat. Multiple signals from the same source absolutely are.

What the 2026 Threat Model Actually Demands

If you're building anything with meaningful on-chain value, the minimum viable security posture has fundamentally changed. Here is what it looks like layer by layer.

1. Assume your engineers are targets. The moment a developer's GitHub handle is tied to a protocol holding meaningful TVL, they are on Lazarus's list. Every contributor with production access should be trained to recognize fake job offers, malicious repos, and VC outreach as routine adversarial pressure, not rare events.

2. Verify what you sign not what you see. The Bybit hack proved that pristine smart contracts mean nothing if the signing UI can be silently rewritten. Signers must verify transaction calldata on a hardware device with its own independent screen. Never trust a browser alone for a high-value approval. EIP-712 structured signing, clear-signing wallets, and raw calldata verifiers are no longer optional.

3. Audit the supply chain, not just the contracts. Your multi-sig library. Your frontend bundler. Your RPC provider. Your npm dependencies. Your wallet infrastructure. Each of these surfaces has been exploited by Lazarus at least once. A smart contract audit that ignores the off-chain surface is auditing a building with the doors unlocked.

4. Timelock the big moves. A 24-hour timelock on large treasury withdrawals would have made the Bybit heist impossible. By the time the delay elapsed, analytics firms would have flagged the flow. Timelocks turn speed-based attacks into detection problems. They are cheap. They are effective. There is no excuse for a protocol holding hundreds of millions in TVL not having them.

5. Treat contributor identity like you treat private keys. Video verification. Reference cross-checking. Background checks that go deeper than LinkedIn. The Security Alliance (SEAL) maintains a growing list of known DPRK IT worker profiles. Use it. For any role touching keys or code, identity verification is a security control not an HR formality.

6. Conference hygiene is now a security topic. After Drift, the bar has moved. If someone approaches your team at a conference, expresses deep interest in your protocol, proposes integration, and is suspiciously fluent in your architecture treat that with the same skepticism you'd apply to a cold phishing email. Lazarus now deploys non-Korean intermediaries to conduct in-person meetings. The person you met at ETHDenver may have been paid to build trust with you.

7. Configuration security is as important as code security. The KelpDAO hack had zero smart contract exploits, zero key compromises, zero protocol bugs. It was enabled entirely by a single configuration choice: a 1-of-1 DVN setup that LayerZero had explicitly warned against. Review every integration your protocol depends on for single points of failure bridges, oracles, DVNs, RPC providers, price feeds. A multi-DVN, multi-RPC, multi-oracle setup is not paranoia. It is the minimum viable posture.

8. Your off-chain verification infrastructure needs the same threat model as your contracts. The KelpDAO attack did not touch a single line of smart contract code. It poisoned the off-chain nodes that the verifier trusted to tell it what was true. Every bridge verifier, oracle network, and cross-chain protocol that relies on RPC nodes to confirm on-chain state should now ask: what happens if two of those nodes are compromised and DDoS forces failover to them? The answer should not be "$290M drained."

9. Cost of each layer before vs. after an incident:

Each layer is cheap to build before an incident. Each is brutally expensive to retrofit after one.

The People Fighting Back

So far this blog has been about the offense. Here is the defense.

In late 2024, the Ethereum Foundation with Secureum, The Red Guild, and SEAL launched the ETH Rangers Program: six months of stipends for independent researchers doing public goods security work across Ethereum. 17 recipients. Results that matter directly to the Lazarus threat.

The headline number: ~100 DPRK IT workers identified across 53 Web3 projects. Not hypothetical. Real operatives, inside real protocols, with real access, waiting on a command from Pyongyang. Alongside that: 785+ vulnerabilities reported, $5.8M recovered from active exploits, 36+ incident responses handled, and 209,000+ people reached with threat awareness content.

Three projects every founder should know about:

The Ketman Project built the industry standard for detecting and expelling DPRK IT workers. They open-sourced gh-fake-analyzer  a GitHub profile analysis tool on PyPI that flags suspicious contributor patterns and co-authored the DPRK IT Workers Framework with SEAL. If you've hired remotely in the last two years and haven't run your contributors through this framework, your threat model is incomplete.

Nick Bax contributed to 36+ SEAL 911 incident responses, helped notify 30+ teams employing DPRK workers, and created a Fake VC warning video that hit with multiple executives crediting it for preventing them from being hacked. That's the exact fake VC attack vector from Phase 1 of this blog.

DeFiHackLabs built an Incident Explorer covering 620+ proof-of-concept exploits with root cause analysis the closest thing the industry has to a complete map of how every major DeFi attack actually executed. The client DoS research team also found 14 bugs across all five major Ethereum execution clients, the same class of infrastructure weakness Lazarus exploited to force failover in the KelpDAO attack.

Securing a decentralized network requires a decentralized defense.

— ETH Rangers Program Report, 2025

Your internal security team cannot track 100 DPRK operatives across 53 organizations. The Ketman Project can. Use what exists: gh-fake-analyzer on your contributors, the DPRK IT Workers Framework before your next hire, and SEAL 911 (@seal_911_bot on Telegram) as your first call after an incident.

Conclusion

The playbook is public. The attack patterns are documented. The tools to defend against them exist. And yet Lazarus just had their best decade on record. The Bybit signer did everything right. The screen lied. The Drift contributors met their attackers in person. KelpDAO's verifier confirmed a transaction that never happened. In each case, the lie was built weeks or months before anyone noticed. Lazarus is already in your next conversation on LinkedIn, at your next conference, inside a pull request. The only question is whether your perimeter is deep enough to catch it.