Paradigm security researcher Samczsun is raising concerns that North Korea’s cyber operations extend far beyond the notorious Lazarus Group.
His warnings come as the crypto industry emerges from the recent Bybit hack, which reportedly involved a sophisticated compromise of SafeWallet infrastructure.
This attack marked a departure from previous North Korean hacking incidents. Instead of directly targeting Bybit, the hackers managed to breach Safe{Wallet}.
This shift in tactics highlights the growing sophistication of their strategies and raises significant concerns about the security of the broader cryptocurrency ecosystem.
According to Samczsun, North Korean-backed cybercrime isn’t just the work of a single group, but rather a network of state-sponsored threat actors operating under different names.
North Korea’s cyber warfare structure
Samczsun has been analyzing North Korea’s cyber threat for years. He explains that referring to all North Korean cyber activity as the “Lazarus Group” oversimplifies a far more complex network.
North Korea’s hacking operations are primarily run through the Reconnaissance General Bureau, an intelligence agency that oversees multiple hacking units. These include not only Lazarus Group but also APT38, AppleJeus, and other specialized teams.
Each of these groups has a different focus. Lazarus Group, for example, is known for high-profile cyberattacks, including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist. APT38 specializes in financial crimes, including bank fraud and cryptocurrency theft.
“APT38,” Samczsun wrote, “which spun out of Lazarus Group in around 2016 in order to focus on financial crimes, targeting banks (such as the Bank of Bangladesh) first, then cryptocurrency later.”
AppleJeus has targeted cryptocurrency users with malware disguised as trading apps.
These groups work under the same government umbrella, helping to fund North Korea’s weapons programs and evade international sanctions.
Crypto is now a North Korea target
North Korea has turned to cryptocurrency as a major source of revenue. Unlike traditional finance, crypto transactions are decentralized and often more difficult to track or freeze.
North Korean hackers exploit this by breaching exchanges, deploying malware, and using fake job offers to gain access to internal systems.
One example is the case of “Wagemole” operatives — North Korean IT workers who infiltrate legitimate tech companies. These individuals appear to be regular employees but sometimes use their access to steal funds or compromise systems.
This tactic was seen in the Munchables exploit, where an employee with ties to North Korea drained assets from the protocol.
Another method is supply chain attacks, where hackers compromise software providers that serve cryptocurrency firms. In one case, AppleJeus hackers inserted malware into a widely used communications tool, affecting millions of users.
In another, North Korean attackers breached a contractor working with Radiant Capital, gaining access through social engineering on Telegram, according to Samczsun.
What this means for crypto
Samczsun warned that North Korea’s cyber operations are evolving. The Bybit attack shows that hackers are now targeting infrastructure providers, not just exchanges.
This means the entire crypto ecosystem — from wallets to smart contract platforms — could be at risk.
For crypto users and businesses, the key takeaway is that North Korean cyber threats go beyond Lazarus Group and simple exchange hacks. The industry needs stronger security protocols, improved intelligence sharing, and greater awareness of social engineering threats.
