Lazarus Group Stole $1.4B in Crypto; Will Use AI & Deepfakes for 2026 Attacks
North Korea’s Lazarus hacking collective is intensifying its targeted phishing campaigns against cryptocurrency platforms and individual investors, amassing hundreds of millions of dollars in illicit gains. According to a report by AhnLab, the group is expected to adopt even more sophisticated spear-phishing tactics in 2026, increasingly leveraging AI, deepfakes, and advanced evasion techniques to bypass security systems.
Lazarus Group is widely regarded as one of the most dangerous cybercriminal organizations, responsible for a string of high-profile attacks on the cryptocurrency sector. Researchers recall the theft of $1.4 billion from the Bybit exchange on 21 February 2025, as well as the $30 million breach of Upbit. In total, Lazarus is credited with stealing more than $1.4 billion from the crypto industry alone in recent years. The group is linked to North Korea’s intelligence services and is believed to possess virtually unlimited resources for developing and refining new attack methods.
Lazarus’s primary weapon is spear phishing—a form of precision-crafted phishing that differs starkly from mass spam campaigns. Before an attack, adversaries study their target: scouring social-media profiles, LinkedIn pages, prior correspondence, and public appearances. Based on this intelligence, they forge emails that mimic genuine conference invitations, job offers, or interview requests. These messages appear authentic, complete with accurate salutations and contextual detail. A single click on a link or the opening of an attachment is enough to install malware that steals credentials or grants the attackers access to a corporate network.
AhnLab’s analysis for October 2024 to September 2025 shows Lazarus implicated in 31 documented intrusions, surpassing other prominent actors such as Kimsuky (27 mentions) and TA-RedAnt (17 mentions). Moreover, Lazarus’s interests extend well beyond cryptocurrency exchanges: financial institutions, IT companies, and even the defense sector have become targets. Analysts underscore that human error remains the decisive factor—employees and users who trust “plausible” emails are the gatekeepers whom Lazarus aims to exploit.
In the cryptocurrency ecosystem, such attacks are especially destructive: transactions are irreversible, and asset values fluctuate rapidly. A compromised wallet, exchange account, or internal platform system can lead to multimillion-dollar losses within minutes. AhnLab observes that Lazarus’s resilience is driven not only by its operators’ skills but also by a continuous influx of technical and financial resources.
The report emphasizes that over the past 12 months, Lazarus has consistently remained one of the gravest threats to crypto exchanges. The Bybit and Upbit incidents alone yielded the group more than $1.43 billion. The attack pattern is often the same: the victim receives a meticulously crafted email, follows a link, enters credentials or opens an attachment, and in doing so grants the attackers access to exchange systems or personal assets.
Amid the rise of these attacks, experts stress the importance of both technical and behavioral defenses. For everyday users, the fundamental rules remain unchanged: verify senders through independent channels (such as a company’s official website or verified phone numbers), enable multifactor authentication across all crypto-related services, and encrypt network traffic—especially when conducting financial operations. Users should avoid clicking suspicious links, refrain from opening attachments from unknown or overly insistent contacts, and keep systems and applications fully up to date with security patches.
Specialized recommendations focus on mitigating spear-phishing risks in crypto transactions. Experts advise minimizing publicly available personal information—job titles, habits, and professional contacts—as the less the attackers know, the harder it is for them to craft a truly convincing email. Whenever in doubt, recipients should verify messages through alternate channels: calling the purported sender, messaging them separately, or contacting official support rather than replying directly to a suspicious email.
For organizations, user discipline is insufficient on its own. AhnLab calls for comprehensive, multilayered defense: regular security audits, strict patch-management policies, phasing out legacy systems, and continuous employee training on identifying phishing and social-engineering attempts. Incident analyses from 2025 show that attackers from Lazarus, Kimsuky, and TA-RedAnt frequently exploit human mistakes and vulnerabilities in outdated software.
AhnLab also recommends that companies and individuals rely solely on official software sources, avoid downloading applications from dubious websites, and never open files sent by unknown senders. Modern antivirus solutions and anomaly-detection systems can help detect unusual activity—ranging from remote-access attempts to suspicious cryptocurrency-wallet operations. At the corporate-network level, essential measures include infrastructure segmentation, rigorous access-control policies, and monitoring of internal data flows.
A growing point of concern is the role of artificial intelligence in future attacks. AhnLab predicts that by 2026, AI will become a standard tool for cybercriminals—capable of mass-generating realistic phishing sites and emails free of typical grammatical flaws, as well as producing numerous malware variants crafted to evade antivirus tools and analysis systems.
Deepfake technologies warrant particular attention: forged video and audio featuring company executives, well-known experts, or supposed exchange employees may be used to increase the credibility of fraudulent requests and malicious links. AhnLab analysts warn that deepfake attacks will evolve to a point where distinguishing fabrication from reality becomes exceedingly difficult. This elevates the risk of confidential-data breaches and underscores the critical importance of robust information-security measures and vigilant monitoring of anomalous account and system behavior.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
