For more than a decade, the Lazarus Group was described as a North Korean hacking unit: a fantastically proficient outfit responsible for bank thefts, espionage, and high-profile breaches that allowed Pyongyang to maintain plausible deniability behind layers of malware and false flags.

By the late 2010s, the group had been publicly attributed to operations such as the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist, placing it at the forefront of the growing number of state-sponsored cyber criminals

But Lazarus never stopped evolving. Culminating in 2025, it has confirmed its ability to be one of the main money-making methods for the North Korean regime.

cyber-Between February and December 2025 alone, Lazarus conducted major cryptocurrency thefts totalling more than $2 billion. The February breach of the exchange Bybit saw around $1.5 billion be stolen. This was the largest cryptocurrency theft on record.

Within weeks, hundreds of millions of dollars from the Bybit theft were laundered through informal financial infrastructure. A coordinated international response and multimillion-dollar recovery bounties, only a small fraction of the proceeds were ever recovered

The question for 2026 is not whether Lazarus will continue their heists, but whether any existing enforcement architecture can meaningfully constrain it.