LLMpediaThe first transparent, open encyclopedia generated by LLMs

Lazarus Group

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: WannaCry Hop 4
Expansion Funnel Raw 52 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted52
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Lazarus Group
NameLazarus Group
TypeAdvanced persistent threat
Years activec. 2007–present
LocationAllegedly based in North Korea
TargetsFinancial institutions, cryptocurrency exchanges, media, defense contractors
MethodsSpear phishing, malware, supply chain attacks, zero-day exploits

Lazarus Group. It is an advanced persistent threat actor widely attributed by global cybersecurity firms and governments to be operating on behalf of the Democratic People's Republic of Korea. The group is considered one of the most prolific and financially motivated state-sponsored hacking collectives, responsible for high-profile cyberattacks targeting the global financial system and cryptocurrency industry. Its operations are believed to support the strategic and financial objectives of the North Korean regime, often blending espionage activities with large-scale theft.

Overview

The collective is characterized by its sophisticated, adaptable, and highly aggressive cyber warfare campaigns, which have evolved significantly over more than a decade. Its operations span a wide spectrum, from destructive attacks and intelligence gathering to financially motivated cyber heists targeting banks and digital asset platforms. Security researchers, including those from Kaspersky Lab, CrowdStrike, and Mandiant, have extensively documented its activities, noting its use of a complex arsenal of custom malware families and exploitation techniques. The group's infrastructure is often linked to internet protocol addresses registered in China and other countries, used to mask its true origin.

History and origins

The earliest public attributions to this collective trace back to cybersecurity investigations into the 2009 distributed denial-of-service attacks against South Korean and U.S. government websites. Its notoriety increased dramatically following the devastating 2014 cyberattack on Sony Pictures Entertainment, which was launched in retaliation for the film The Interview. Subsequent analysis by the Federal Bureau of Investigation pointed to North Korean intelligence services as the perpetrators. Further evidence of its state sponsorship emerged from the 2016 attempted theft of $1 billion from the Bangladesh Bank, an operation that utilized the SWIFT network.

Major cyber operations

Beyond the Sony attack and Bangladesh Bank heist, the group has been linked to a relentless series of global incidents. These include the 2017 WannaCry ransomware outbreak, which crippled hundreds of thousands of computers worldwide, including systems within the UK's National Health Service. Its focus later shifted prominently to cryptocurrency exchanges, with major thefts from platforms like Coincheck in Japan and numerous exchanges in South Korea. Other significant operations include the 2020 CISA-confirmed targeting of the COVID-19 vaccine development sector and the 2022 $625 million theft from the Ronin Network.

Formal attribution by national governments has solidified the connection to Pyongyang. The U.S. Treasury Department and the Federal Bureau of Investigation have publicly sanctioned entities and individuals associated with its activities, explicitly naming the Reconnaissance General Bureau as its controlling body. The UN Security Council has received reports detailing how the group's financial cyber operations violate international sanctions resolutions. Intelligence agencies, including the U.S. National Security Agency and the UK's GCHQ, have consistently supported this assessment, citing technical evidence and SIGINT.

Techniques and tools

The collective employs a broad and evolving toolkit, frequently leveraging social engineering via spear-phishing emails to gain initial access. It has deployed a range of distinctive malware, such as Duuzer, Brambul, and the AppleJeus backdoor, which was disguised within a fraudulent cryptocurrency trading application. The group is known for exploiting zero-day vulnerabilities, as seen in its use of an Internet Explorer flaw, and for conducting software supply chain attacks, like the compromise of the NetSarang company. Its operators meticulously obfuscate their command and control infrastructure to avoid detection.

Impact and responses

The financial impact of its campaigns is estimated in the billions of U.S. dollars, directly funding the regime's priorities. In response, international coordination has increased, with joint advisories issued by agencies like the FBI, CISA, and the UK's NCSC. The European Union and U.S. Treasury have imposed repeated sanctions on associated hackers and front companies. Private sector efforts, led by firms like Chainalysis and CipherTrace, focus on tracking stolen cryptocurrency flows, while organizations such as Interpol facilitate global law enforcement collaboration against the threat.