The Lazarus Group and DPRK Crypto Theft in 2026: What Compliance Teams Need to Know

North Korea's state-sponsored cryptocurrency theft program has become one of the most operationally significant financial crime threats facing the crypto industry. It is not a periodic problem or a series of isolated incidents. It is a sustained campaign run by a sanctioned government that has made cryptocurrency theft a structural component of its revenue model. DPRK-linked actors stole $2.02 billion in 2025, a 51% year-on-year increase, pushing their all-time cumulative to $6.75 billion. North Korean hackers accounted for 76% of all crypto hack value through April 2026. The February 2025 Bybit theft of $1.5 billion in Ethereum, the largest single cryptocurrency theft in history, was attributed by the FBI to the Lazarus Group cluster it tracks as TraderTraitor. In April 2026, a $292 million exploit of Kelp DAO was attributed to the same group. 

For compliance teams at exchanges, custodians, DeFi protocols, and any platform that interacts with the on-chain world, understanding the current-state laundering typology, the active designations in force, and the red flags that indicate exposure to DPRK-attributed activity is not optional. It is the baseline for a defensible screening program.

The Structure of DPRK Crypto Operations

Lazarus Group is the public label applied to a cluster of North Korean state cyber units operating under the Reconnaissance General Bureau. Within that cluster, TraderTraitor is a subunit that specializes in crypto industry targets, using social engineering against technical staff through fake recruiter pitches, malware-laced pre-employment tests, and compromise of wallet software vendors or signing infrastructure. 

The Bybit attack was a masterclass in this approach. The attack began with a compromised laptop belonging to a developer at SafeWallet, the multisig infrastructure provider Bybit used. The attackers manipulated Bybit's cold wallet signing process, redirecting approximately 500,000 ETH to attacker-controlled addresses. The attack exploited the trust chain between a third-party vendor and its client. The mechanism was not a vulnerability in Bybit's smart contracts but a supply chain compromise of the signing interface that prevented human reviewers from seeing what they were actually approving. 

The largest publicly attributed incidents form a campaign, not a list of accidents: Ronin Network in March 2022 at $625 million, Harmony Horizon in June 2022 at $100 million, Atomic Wallet in 2023 at $100 million, DMM Bitcoin in May 2024 at $308 million, Bybit in February 2025 at $1.5 billion, and Kelp DAO in April 2026 at $292 million. 

The 2026 Laundering Typology

DPRK laundering has evolved in response to each wave of designation and enforcement action. The Tornado Cash OFAC designation in 2022 and the August 2025 conviction of Tornado Cash co-founder Roman Storm for sanctions violations and unlicensed money transmission removed one of the group's primary mixing tools. The response has been adaptation rather than reduction.

The current laundering sequence typically follows four stages:

• Stage 1: Rapid cross-chain movement. Within hours of a theft, funds are bridged from the origin chain to Ethereum, where liquidity and mixing options are greater. In the Bybit case, Chainalysis noted the use of intermediary wallets, decentralized exchanges, cross-chain bridges, and no-KYC swap services. 
• Stage 2: Mixer usage. Post-Tornado Cash, DPRK actors have pivoted to alternative mixing services operating outside US jurisdiction, peer-to-peer transactions in emerging markets, and privacy coins with built-in anonymization.
• Stage 3: Chain-hopping. Funds cycle through multiple blockchain networks, Ethereum to Avalanche to BSC to Bitcoin, using non-KYC bridges and DEXes to sever the on-chain custody chain.
• Stage 4: OTC conversion. Funds are converted to fiat through OTC desks, particularly in Southeast Asia and the Middle East, where regulatory coverage of crypto-to-fiat conversion is thinner.

On March 12, 2026, OFAC designated new sanctions targets tied to North Korea's IT worker program, which has evolved from operatives applying for remote jobs at crypto firms to orchestrating fake hiring processes, posing as recruiters for prominent Web3 and AI companies to harvest credentials, source code, and VPN access. 

Active Designations

Compliance teams must screen against the following active designations covering DPRK cyber operations:

• OFAC: On April 14, 2022, OFAC placed Lazarus Group on the SDN List under North Korea Sanctions Regulations section 510.214. Multiple subsequent designations have added specific wallet addresses, front companies, and individuals associated with DPRK IT worker operations. OFAC wallet blocklists are published following major attribution events, including after the Bybit hack. 
• United Nations: The UN Panel of Experts on North Korea has documented DPRK crypto operations in annual reports with specific transaction analysis. The UN Security Council Consolidated List includes DPRK-controlled entities and individuals. UN Panel reports are a primary source of typology intelligence.
• EU: The EU sanctions regime on North Korea covers the same core designations as the UN list, and EU operators must screen against the EU consolidated list accordingly.
• UK: The UK OFSI North Korea sanctions list mirrors UN designations. UK-regulated crypto platforms must screen against the OFSI consolidated list.
• FBI PublicService Announcements: The FBI has published PSAs following major DPRK attributions, including wallet blocklists that represent the most current public intelligence on active laundering addresses.

{{snippets-guide}}

Red Flag Checklist for Crypto Compliance Teams

The following indicators are drawn from OFAC, FinCEN, and UN guidance on DPRK-linked activity and should be incorporated into transaction monitoring rules and onboarding risk assessments:

• Blockchain analytics flags: Wallet exposure to known DPRK-attributed addresses, addresses that have interacted with sanctioned mixing services, or addresses with high-risk darknet market exposure
• Chain-hopping patterns: Rapid movement of funds across multiple blockchain networks within hours or days of receipt, without clear business rationale
• No-KYC bridge and DEX usage: Transactions routing through bridges or DEXes that do not require identity verification, particularly as a pattern rather than a one-off transaction
• Newly created wallets receiving large transfers: DPRK operations often move funds to fresh addresses with no prior transaction history to sever the forensic chain
• Deposits from wallets linked to known theft incidents: Exchanges should cross-reference deposit addresses against published FBI and OFAC blocklists from recent attribution events
• Social engineering indicators in operational context: For exchanges and custodians with technical staff, phishing attempts impersonating recruiters, fake Zoom or Calendly links, and code review requests from unknown contacts that require downloading files
• Third-party software dependency changes: Unexpected updates to wallet signing infrastructure or third-party libraries used in transaction approval workflows
• OTC desk counterparties in high-risk jurisdictions: Transactions routed through OTC desks in jurisdictions with limited crypto AML coverage

{{snippets-case}}

Screening Configuration Guidance

Blockchain analytics integration is the operational foundation of DPRK screening. Compliance teams should configure their analytics tools to:

• Flag any direct or indirect exposure (typically defined at 10% or greater, though 1% should trigger review for terrorism-connected wallets given OFAC's stated standard) to addresses on OFAC's SDN list, including DPRK-designated addresses
• Enable real-time alerts for deposits from addresses that appear on newly published OFAC blocklists, FBI PSA wallet lists, or UN Panel of Experts address disclosures
• Apply enhanced review to transactions involving mixing services, including those not yet formally sanctioned, where the service's primary use case is obfuscation
• Monitor for chain-hopping patterns that compress movement across multiple networks into a short time window, which is a structural indicator of active laundering

Centralized exchanges are the final choke point in most DPRK laundering chains. Enhanced screening for DPRK-attributed wallets, mandatory delays on large withdrawals to new addresses, and real-time OFAC screening are baseline requirements that all major exchanges should be meeting. 

Conclusion

The Lazarus Group is not a standard financial crime actor that responds to conventional AML controls calibrated for human money laundering networks. It is a state program with dedicated technical resources, a long operational horizon, and a track record of successful adaptation to enforcement actions. The UN Panel of Experts has estimated that crypto theft funds a material proportion of North Korea's ballistic missile and nuclear weapons development programs, documented in Security Council reports with specific transaction analysis linking DPRK-attributed proceeds to weapons procurement networks. For compliance teams, this means the stakes are not limited to regulatory risk. They extend to the real-world consequences of allowing stolen funds to cycle through their platforms undetected. 

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs. To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call. We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).