Over the past decade, the Lazarus Group—an elite hacking cell allegedly backed by North Korea—has raided the digital vaults of exchanges, bridges, wallets, even a global entertainment giant. Their exploits fund a sanctioned regime, destabilize markets and leave millions of retail investors licking their wounds. From billion-dollar exchange drains to overnight rug-pulls, each job reveals a new tactic: social-engineering, hot-wallet exploits, cross-chain laundering or pure price manipulation. Below, we break down the nine most jaw-dropping Lazarus heists, how they unfolded, why they mattered and the cybersecurity lessons the entire crypto industry must learn—fast.
Bybit: The $1.46 Billion Earthquake
Bybit woke up to a nightmare in early 2024: $1.46 billion siphoned from its hot wallets in less than 90 minutes. Investigators say Lazarus quietly breached a senior engineer’s laptop months earlier through a malicious PDF disguised as a compliance report. Once inside, they waited until reserves were high after a marketing campaign, then triggered a series of rapid withdrawals routed through privacy-focused blockchains and high-latency mixers. The hit instantly became the biggest exchange hack in history, surpassing Mt. Gox and FTX combined. Bybit paused withdrawals, but the damage, both reputational and financial, was already irreparable.
Ronin Bridge: Axie Infinity’s $625 Million Collapse
In March 2022, gamers feeding virtual pets on Axie Infinity had no idea their future earnings were evaporating in real time. Lazarus compromised five of nine validator nodes controlling the Ronin side-chain, exploiting lax key management and an unused multi-sig upgrade path. They withdrew 173,600 ETH and 25.5 million USDC, worth $625 million then, before anyone noticed. With a single transaction they transformed a play-to-earn darling into a cautionary tale. Axie’s developer Sky Mavis eventually raised funds to compensate players, but trust in crypto gaming bridges has never fully recovered.
Horizon Bridge: $100 Million via Fake Job Offers
Harmony’s Horizon Bridge was touted as a seamless conduit between Ethereum, BNB Chain and Harmony. Lazarus saw a soft target. Over several months they sent LinkedIn messages offering six-figure salaries to Harmony engineers, tricking one into downloading a booby-trapped PDF. The malware harvested private keys that unlocked two of the bridge’s five validators, just enough to approve transfers. On 24 June 2022, $100 million in alt-coins vanished and were rapidly swapped into ETH, washed through Tornado Cash and dispersed across dozens of wallets. Social engineering, not zero-day exploits, turned out to be the weakest link.
Atomic Wallet: Users Wake Up Broke
June 2023 was brutal for self-custody advocates. Atomic Wallet customers logged in to see balances of zero, their seed phrases likely exfiltrated by a compromised update server. Chain sleuths watched as $100 million in BTC, XRP and USDT funneled through mixers linked to Lazarus. Because Atomic is non-custodial, no centralized treasury existed to reimburse victims. Class-action lawsuits are pending, but most users will never recover their coins. The incident shattered the assumption that “not your keys, not your coins” is always safer, highlighting how supply-chain attacks can poison even private wallets.
CoinEx: $70 Million Drained Across Multiple Chains
In September 2023, CoinEx’s hot wallets for ETH, TRON and Polygon began hemorrhaging funds in coordinated bursts. Internal logs later showed API keys leaked from a phishing email impersonating cloud-service support. Lazarus swapped stolen tokens across chains to obfuscate the trail, then parked them in privacy layers before cashing out via OTC desks in Asia. The $70 million loss was smaller than Ronin’s, but it underscored a bigger issue: cross-chain liquidity gives hackers more escape routes than ever. CoinEx rebuilt its wallet architecture, yet the industry still lacks standardized hot-wallet security frameworks.
Stake.com: The Casino That Lost the House’s Money
Crypto gambling platform Stake.com prided itself on fast payouts and celebrity partnerships, until September 2023, when $41 million in ETH, BNB and MATIC vanished. Analysts believe Lazarus exploited a leaked AWS key to generate withdrawal signatures, then disabled monitoring alarms to buy time. Within hours, the funds were bridged to Bitcoin and funneled into mixers. Stake covered user balances from corporate reserves, but regulators quickly scrutinized the platform’s Know-Your-Customer loopholes. The hack illustrated how online casinos, with high turnover and on-chain liquidity, are prime laundering venues for state-sponsored thieves.
Poloniex: An Old Guard Exchange Goes Dark
Poloniex, once a top-five exchange, had faded into niche status by late 2023, making it a perfect target. Lazarus allegedly bribed a customer-service contractor for VPN credentials, giving them unmonitored back-office access. They generated withdrawal vouchers worth $120 million, timed during a wallet maintenance window to avoid auto-alerts. By the time Poloniex froze wallets, most funds were already processed through Layer-2 rollups and swapped for Monero. The breach shows that even veteran platforms, if understaffed or complacent, remain vulnerable to insider collusion.
Sony Pictures: A $3 Million Reminder They Never Left
Many thought Sony had tightened security after the infamous 2014 email leak, but Lazarus struck again in 2023, this time targeting treasury accounts rather than Hollywood gossip. Posing as a Singaporean vendor, they tricked a finance employee into changing a USDT payout address. Roughly $3 million disappeared, a drop compared to exchange hacks, yet the symbolism was loud: the same group behind the original Sony breach still haunts corporate networks. Authorities traced the tokens through Tornado Cash, but sanctions make claw-backs nearly impossible.
Mango Markets: The $114 Million Price-Manipulation Masterclass
October 2022 saw Solana-based Mango Markets exploited in a flash-loan frenzy. While the main perpetrator publicly negotiated a “bug-bounty” pay-back, blockchain forensics later linked funding wallets to addresses used by Lazarus. The group allegedly provided capital and scripts to inflate MNGO’s price 30-fold, then borrowed against the artificial collateral, emptying $114 million of liquidity. Retail traders were left holding worthless tokens. The episode blurred the lines between market manipulation and outright theft, proving Lazarus’s playbook extends well beyond traditional hacking.
