North Korea’s Lazarus Group is waging a cyberwar on crypto—And developers are the new target

The Lazarus Group, North Korea’s infamous hacking unit, has carried out new cyberattacks in cryptocurrency with an increasing focus on developers. 

Security researchers have discovered over the last few months that the group has been sabotaging malicious npm packages that steal credentials, exfiltrate cryptocurrency wallet data, and create a persistent backdoor in development environments. It marks a major escalation in their years-long cyberwar, which has already witnessed some of the biggest crypto heists in history.

According to a new investigation by the Socket Research Team, a branch of Lazarus Group has penetrated the npm repository, one of the most popular package managers for JavaScript developers. 

The hackers then used typosquatting techniques to publish malicious versions of popular npm packages, deceiving unsuspecting developers into downloading the programs. The packages include is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. 

When executed, the compromised packages install BeaverTail malware. This “advanced” tool can steal login credentials, search through browser files for saved passwords and dump files from cryptocurrency wallets, such as Solana and Exodus.

Security researchers noted that the stolen data were sent to the hardcoded command-and-control (C2) server, a common modus operandi employed by the Lazarus Group to relay confidential data back to their actors. 

Its purpose is to steal and transmit compromised data without being detected, and it was particularly threatening in the world of developers building financial and blockchain applications, says Kirill Boychenko, a threat intelligence analyst at Socket Security.

Lazarus launched an offensive against Bybit, stealing nearly $1.46 billion

In addition to these supply chain attacks, Lazarus Group has also been tied to one of the biggest cryptocurrency thefts on record. Its first action is suspected to have occurred on February 21, 2025, when group-linked hackers breached Bybit, one of the world’s biggest crypto exchanges, making off with an estimated $1.46 billion in crypto assets.

The attack was extremely sophisticated and was allegedly launched from a compromised device of a Safe{Wallet} employee, a Bybit technology partner. Hackers leveraged a vulnerability in the infrastructure of Bybit’s Ethereum wallet and altered smart contract logic to redirect funds to their wallets.

Although Bybit addressed the problem immediately, a statement from CEO Ben Zhou revealed that 20% of the stolen money had already been laundered via mixing services and was untraceable.

This latest series of attacks is part of North Korea’s broader effort to evade international sanctions against it by stealing and laundering cryptocurrency.

According to a 2024 United Nations report, North Korean cybercriminals were responsible for over 35% of global cryptocurrency thefts over the past year, accumulating over $1 billion in stolen assets. Lazarus Group is not just a cybercrime syndicate but also a geopolitics threat since stolen money is reportedly directly funnelled into the nation’s nuclear weapons and ballistic missile programs.

Such Lazarus Group attacks have also progressed over the years, from direct exchange hacks to supply chain attacks and even developer and software repository attacks.

By adding backdoors to open-source platforms like npm, PyPI, and GitHub, the group expands its potential attack range to many systems, eliminating the need to hack directly into cryptocurrency exchanges.

Security experts are calling for stricter protections for crypto developers 

Noting these growing risks, cyber specialists are pushing for stricter security for developers and crypto users and protection from hackers. One such best practice is verifying the realness of npm packages before installation because typosquatting continues to be one of the most common methods cyber criminals use. 

Socket AI Scanner also tracks anomalies in your software dependencies or npm audit, which informs you whether any compromised packages are in use and allows you to remove them from your application before they can do any real damage.

The guide recommends that users and developers take the initiative to protect themselves by enabling multi-factor authentication (MFA) for exchange wallets, developer platforms like GitHub, and other accounts. 

Network monitoring is now regarded as the first line of defence as the compromised system will usually send messages back to an external command and control (C2) server, which then uploads the malicious updates on the infected computer. Blocking illegitimate outbound traffic can cut hackers’ access to this stolen data.

Bybit launches recovery bounty as crypto security battle heats up

Following the Bybit hack, the exchange also initiated a Recovery Bounty Program, rewarding anyone who helps find the stolen assets. The program allows for rewards of up to 10% of the money recovered.

At the same time, the larger crypto ecosystem is busy ramping up security practices and alerting developers to protect against the same practices that can lead down this threatening path.

But as Lazarus Group’s tactics advance ever more quickly, network defenders say the war on crypto has only just begun.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now