Abstract

In July 2024, the WazirX hack, a massive cyberattack on a cryptocurrency firm, took place and resulted in a loss of $235 million. On January 14th, the US, Japan, and South Korea jointly acknowledged the Lazarus Group's responsibility, shedding light on this underground force often overlooked by mainstream media (Times of India, 2025). In contrast, the group's origins actually date back to 2009, warranting further investigation. 

This article will hence explore the group's political motivations, and the dual purpose of their hacking techniques, meticulously protecting their activities and supporting North Korea, and how, by exploiting human errors and tech miscalculations, they pose a significant global cybersecurity threat.

Lazarus, a group mimicking the operating patterns of North Korea 

To start, the group could be defined as an advanced persistent threat (APT) organisation, due to the sophisticated and constant pattern of cybercrime through which it operates (Lindemulder, 2024), as justified by the several months required by three joint governments to trace back the aforementioned cyber attack. A major point to be made is its alleged deep affiliations with the North Korean government, which, so far, can only be factually proven by the similarity in the pattern of used malware. Indeed, firms such as Symantec and Kaspersky are the ones that have identified such overlaps (AO KASPERSKY LAB, 2025). Additionally, Internet Protocol (IP) addresses the sources of observed cyberattacks of Lazarus coinciding with areas known to be operational areas for North Korea, including China and Malaysia. This group, as any other faction involved in cyber warfare, reconceives the whole dynamic of warfare, far from a conventional interstate conflict of warmongers of equal scale. Instead, the purpose is to allow countries with a theoretically lower geopolitical leverage to overcome their shortcomings, a purpose even truer for a country like North Korea, allegedly autarkic but still considerably dependent on its communist neighbour. 

Understanding the articulation of Lazarus' cyber attacks 

More concretely, even if the purpose of this article is not to delve into technicalities, Arif Perdana, professor of algorithmic systems and data analytics at Monash University, made a chronological typology of the unfolding of Lazarus cyber attacks. The pattern starts with the identification of a human failure in entering the security of the system to act, hence engaging in social engineering, notably by descending of malicious emails.

After having infiltrated the targeted system, the malware starts its operation/development. In doing so, it can affect the functioning of the hacked platform, causing disruption to its users, especially when the latter is either a governmental or a service platform, notably using the distributed denial of service (DDoS) technique (Perdana et al., 2024). Yet, more interestingly, the attacks also have a long-term perspective, notably by the multiple corps of anti-forensics, aimed at avoiding the hack from being traced back to its author. Lastly, one should denote the very use of malware which would persist, and allow a recurring exploitation of the breaches of the hacked platform, leading in the more extreme ends to cyber espionage. 

The main purposes of Lazarus’ attacks

Having identified the pattern, according to records, the three main fields on which cyber attacks are focused are espionage, financial theft, and destructive attacks.

The first one relies on human error by trying to find breaches from mistakes committed by governmental agents, whose devices could give access to a considerable amount of sensitive data, notary blueprints, or weapons design. The most famous example of a cyber attack committed is the Sony Pictures in 2014, where Lazarus had access to confidential data on unreleased films and employees' information that it disclosed as a retaliation for the release of the movie “The Interview,” which was denouncing its activities. By the very ability of reversing the balance of power, this cyberattack enabled to highlight the ‘role of coercion’ (Sharp, 2017) in the cyberattack strategy of the Lazarus Group.

The evident aim is for the military industry of North Korea to compensate for its lack of technological advancement by exploiting the technology of more advanced countries that it would otherwise not have access to. However, it could also help, by means of blackmail, to obtain diplomatic leverage. The 2018 Winter Olympic Games, which, as a reminder, were held at Pyeongchang in South Korea, offered an international platform for the group’s visibility where massive IT attacks targeted bookings and tickets, posing the threat of decredibilising South Korea in its ability to safely and successfully organise such a major global event (Pandey, n.d.).

However, the hacks that actually make the headlines concern the financial field, notably capitalising on the volatile nature of cryptocurrency. Hackers try to infiltrate key transactions and key individuals involved in the latter. Beyond the introductory case, one of the most massive attacks of this kind was targeted at the Bangladesh bank, with an attempt to steal nearly $1 billion, which, despite being stopped, still led to the extraction of $81 million. Similar attacks of this kind were noted with the common similarity of targeting countries where a consequent sum could be embezzled, and which are known to lack a proper cybersecurity architecture to counter hacks of this scale. Similarly to the prior case, the strategy is operated through spearphishing. The aim is both to dissimulate the transactions of the theft by combining them with other assets as allowed by the Tornado Cash protocol, while also capitalising on the software will abilities where transactions occur, such as Ethereum and Bitcoin, notably using the CoinBerry Act (Gulyás, 2022).

Conclusive reflections on the threat posed to global security 

Academia is aware of the overall patterns and purposes of the attacks conducted by Lazarus, in close collaboration with the North Korean government. As the examples have shown, the range is wide, and the points of entry are due, both relying on the likelihood for human miscalculations and technological failures. The threat posed is global, as, despite some developing countries being more technologically and humanly vulnerable to such attacks, they are only an easy target for the group. The latter is actually aiming at reaching countries of greater scale, which, if affected, would lose their standing on the global scale, further entrenching the success of a North Korean state-sponsored group. A podcast, entitled The Lazarus Heist, also navigates through the complexities of the operating mechanisms of the group by dedicating one episode to a specific case study of a cyberattack operated by the group (BBC, 2023). The recent ascension of this group, as well as the unpredictable nature of the impact they may eventually reach, are factors of uncertainty and fear for the international community, which further justify claims of it being more potentially dangerous than a Russian enemy already known for its long-lasting historical involvement in secret services.