Lazarus Group's $6 Billion Crypto Hacks: Full Timeline of Hacks that Shook the Industry

Introduction

Lazarus Group, a North Korean state-sponsored hacking unit, has rewritten the rulebook on cybercrime in crypto. Since 2017, they’ve stolen over $6 billion in digital assets across a series of high-profile exchange, wallet, and DeFi bridge hacks. This timeline breaks down how Lazarus evolved, where they struck, and what it means for global crypto security.

2017–2018: Early Exchange Hacks

• Feb 2017: Bithumb (South Korea) hacked for $7M in BTC & ETH. Entry via phishing and malware.
• Dec 2017: NiceHash (Slovenia) breached for 4,500 BTC (~$80M). Attack used credential theft.
• Jan 2018: Coincheck (Japan) lost $530M in NEM tokens. Hot wallet breach confirmed.

2019–2020: Bigger Targets, Larger Sums

• Nov 2019: Upbit hacked for 342,000 ETH (~$49M). South Korean authorities blamed Lazarus.
• Sept 2020: KuCoin (Singapore) suffered a $275M loss. Lazarus moved funds through DEXs and mixers.

2022: Lazarus Turns to DeFi

• Mar 2022: Ronin Bridge (Axie Infinity) exploited for $620M. Gained control of validators via phishing.
• Jun 2022: Harmony’s Horizon Bridge hit for $100M. Compromised multisig wallets.

2023: Wallets and Payment Platforms in Crosshairs

• Jun 2023: Atomic Wallet users lost $100M. Suspected malware infection.
• Jul 2023: CoinsPaid and Alphapo hit for $97M. Attack used fake job offers and Trojanized software.
• Sept 2023: Stake.com drained of $41M. Likely key theft or smart contract tampering.

2024–2025: Billion-Dollar Hacks & Fallout

• Jul 2024: WazirX (India) suffered a $235M loss. Smart contract and multisig exploited.
• Feb 2025: Bybit (UAE) hacked for 400,000 ETH (~$1.5B). Largest crypto hack to date. Lazarus breached custody platform.

Lazarus Group’s Hacking Tactics

• Social Engineering: Fake recruiters and job offers on LinkedIn or email.
• Malware: Trojanized crypto apps and clipboard hijackers.
• Credential & Key Theft: From exchanges, wallet providers, and bridge validators.
• Money Laundering: Tornado Cash, Sinbad.io, DEXs, and TRON-based token swaps.

Impact & Global Response

• Total Stolen: Over $6 billion in crypto assets.
• Regions Hit: Japan, South Korea, India, UAE, USA, Hong Kong.
• Government Response: US Treasury sanctions, FBI investigations, and blacklisting of wallets and mixers.

Conclusion

Lazarus Group isn’t just a hacker syndicate they’re a geopolitical cyber weapon. Their evolving playbook now includes DeFi, NFTs, and payment gateways. The global crypto industry is catching up, but the stakes are rising. This timeline shows exactly how they did it and why they’re still the biggest threat in the crypto world today.