The Lazarus Group


    The Lazarus Group is an offensive component of North Korea’s cyber warfare strategy and operations. Above all, the group mainly performs targeted offensive cyber operations. Subsequently, they operate under a wide range of monikers from “APPLE WORM”, “GROUP 77”, and the “GUARDIANS OF PEACE”. The group first seemed to enter the public eye in or around 2009. (Source

    In short, Lazarus’s current mission appears to be an extension of North Korea’s will to acquire foreign currency.

    The organization of Lazarus in unknown. Internally known as the “414 Liaison Office” according to North Korean defector Kim Kuk-song. Subsequently, this is part of the Reconnaissance General Bureau, NK’s CIA or MI6 equivalent. This Bureau seems to lead the cyber warfare “charge” of NK. (Source) Another defector, Kim Heung-Kwang, a professor, claimed to have seen students go on to hacking units in the military. He then estimated that the country had 6,000 cyber-soldiers in 2015. (Source)

    Lazarus Group Operations 

    Operation Troy

    The first attack traced back to the group was Operation Troy. It was a relatively simple DDoS (denial of service) attack against government websites in the United States and South Korea. (Source)

    Ten Days of Rain

    In 2011, Lazarus initiated the “Ten Days of Rain” attack. A more sophisticated DDoS, this attack targeted several large financial institutions in South Korea. (Source) 2013 saw Lazarus use a wiper called “darkseoul.” To clarify, this attack widened its scope to media institutions and ISPs. (Source

    Sony Attack 

    In 2014, Lazarus saw global recognition for its attack on Sony Pictures. Lazarus’ anger was ignited by the film “The Interview.” Lazarus, acting under the name “Guardians of Peace.” The group leaked upcoming movies and media. Lazarus also revealed the personal information of Sony Employees. (Source) Then, someone claiming a link to the group said that the group had infiltrated Sony for a year before the attack. (Source

    The Lazarus Group
    Screenshot of Sony’s company computers on the day of the hack. (Source)

    WannaCry (?) 

    WannaCry is the name of ransomware that locks one’s computer and demands payments in cryptocurrency, mainly Bitcoin. This attack by Lazarus on May 12th, 2017 targeted 200,000 OS’ all over the world. Subsequently, the attack caused $4 billion in damages. (source &Source) In effect, the attack compromised Microsoft’s OS. 

    The United States announced formal charges against Park Jin-Hyok, a North Korean citizen and alleged member of the Lazarus Group. (Source)

    The Lazarus Group
    FBI wanted poster of a Lazarus member, Park Jin Hyok. (Source

    An interesting development to come out of this was the theory of a false-flag cyber warfare attack by the US to spur international anger at North Korea. The US National Security Administration created part of the malware’s code. (Source) The Russian hacker group “TheShadowBrokers” stole the code. In effect, this is how the Lazarus Group was able to acquire the code. (Source

    Crypto Korea

    Above all, The Lazarus Group has been involved in multiple cases of stealing and hacking cryptocurrency. A researcher behind Ethereum was found guilty of espionage and treason charges. This was after speaking at the Pyongyang Blockchain and Cryptocurrency Conference, in 2013. Subsequently, Virgil Griffith reportedly gave NK officials knowledge on how to launder cryptocurrency assets through decentralized mechanisms and use them to bypass sanctions. (Source

    The United Nations inquiry document into the situation pointed fingers at North Korea and Lazarus for cyber warfare activities in an Asia-based cryptocurrency exchange, KuCoin. (Source) Furthermore, the theft occurred in September of 2020 and the hackers logged off with over $200,000,000 in cryptocurrency assets. (Source)

    Axie Infinity, a cryptocurrency game, was hacked for $615 million USD. (source) Lazarus facilitated one of the largest hacks ever in cryptocurrency. The FBI linked them to the hack. Cryptocurrency poses a viable target for Lazarus, as its lack of regulation and shield of anonymity protect them somewhat. Above all, this is viable for the North Korean state to use as foreign assets and currency for imports. 

    Furthermore, this nexus between nation and cryptocurrency may have evolved to a more sinister level. The United Nations inquiry believed that this money was used to fund the nuclear missile program in North Korea. Therefore, it has evolved from a financial crime to a breach of international code, to an international security issue as a whole.


    In effect, North Korea has emerged as an asymmetric threat in terms of cyber capabilities. This is seen in the hacks on the South Korean government, North Korea’s alleged crypto-nuclear nexus, and the most recent attack on a popular crypto game. 

    “Lazarus’s sickness will not end in death. No, it happened for the glory of God so that the Son of God will receive glory from this.”

    JOHN 11:1-14

    Wes Martin
    Wes Martin
    Wesley is an alumni of The Fund for American Studies and Ronald Reagan Institute in Washington, DC. He is currently in his senior year of his undergraduate degree at Southern New Hampshire University studying Law & Politics.

    Table of contents


    Get the weekly email from Grey Dynamics that makes reading intel articles and reports actually enjoyable. Join our mailing list to stay in the loop for free!

    Related contents