At 2:16 AM in Dubai, a Bybit signer approved what looked like a routine transfer. It wasn’t. Somewhere near Pyongyang, a room full of operatives erupted in celebration. They had just pulled off the largest financial theft in history $1.5 billion, gone in a single block confirmation.
This wasn’t an anomaly. It was the climax of a decade-long playbook.
The Numbers Are Staggering
North Korea’s Lazarus Group has stolen over $7.5 billion in crypto since 2017. By 2025, they were responsible for 59% of all crypto theft on the planet. The UN estimates this represents roughly 13% of North Korea’s entire GDP directly funding ballistic missiles and nuclear research.
In April 2026 alone, they struck twice in 17 days for a combined $575 million.
It Started With a LinkedIn Message
Lazarus rarely begins with a smart contract bug. They begin with a human.
Fake recruiters with AI-generated profiles. Staged video calls using voice cloning. One target went through six interview rounds before malware arrived on round seven. The bait: a job offer, a collaboration, a PDF. That’s how the Ronin Network lost $625 million a senior Sky Mavis engineer opened an “offer letter.”
By 2025, they evolved further posing as venture capital firms, attending conferences, running fake pitch meetings specifically designed to extract: “How is your treasury custodied?”
They’re Already Inside Your Team
Beyond phishing, North Korea has been placing operatives under fabricated Western identities directly inside crypto companies. Researchers call this Wagemole. Estimates suggest over 40 DeFi protocols have unknowingly employed DPRK operatives since 2020.
These aren’t smash-and-grab attackers. They ship real code, attend standups, earn promotions and wait for the command from Pyongyang.
The Bybit Hack Rewrote the Rules
Bybit used industry-standard multi-sig. Trained signers. Documented processes. None of it mattered.
Lazarus social-engineered a Safe developer, gained backend access, and deployed a targeted UI change visible only when Bybit’s specific wallet addresses were in view. Signers saw a routine transfer. What they actually signed: a delegatecall handing Lazarus full control. The malicious code self-deleted within two minutes. 401,347 ETH was gone.
No smart contract exploit. No key theft. Just a lying frontend.
The Newest Threat: Infrastructure Poisoning
Seventeen days after Bybit, they struck KelpDAO for $290 million using a technique the industry had never seen at scale: RPC node poisoning + DDoS-forced failover. The protocol was never exploited. The smart contracts were never touched. The lie lived entirely in the off-chain verification layer.
Every bridge, oracle, and cross-chain protocol relying on RPC infrastructure to verify on-chain state now operates in a world where that infrastructure can silently lie and erase all evidence.
The mismatch is the vulnerability. Crypto has spent hundreds of millions auditing contracts. Lazarus attacks the humans and the tooling.
Wanna know more? We have a detailed blog on North Korea’s Complete Crypto Hacking Playbook covering every major attack, the full 5-phase methodology, red flags to watch for, and a complete defense checklist.
North Korea Stole $7.5 Billion From Crypto So Far. Here’s Their Playbook. was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.