Everyday is lazarus.day
Tracking DPRK cyber operations — one report, one actor, one connection at a time.
Favrr
On June 25, 2025, Favrr’s FAVRR token DEX listing was exploited, with blockchain analysis estimating more than $680,000 stolen from the Web3 project. The analysis linked the loss to payroll and wallet flows involving suspected DPRK IT workers hired as dev… →
Harmony Bridge
In June 2022, Harmony’s Horizon Bridge lost about $100 million in virtual currency after attackers compromised bridge-validator private keys and moved assets including USDC, ETH, USDT, BNB, and other tokens through wallet hopping and Tornado Cash. Harmony… →
6.25 Cyber Terror
The June 25, 2013 cyberattack wave targeted South Korean government, political, military, and media-related sites with DDoS, outages, defacements, data exposure, and destructive malware timed to the Korean War anniversary. Technical evidence included comp… →
AnOctopus
Andariel targeted centralized management solutions used by South Korean enterprises, abusing exposed administrator console ports, vulnerable management software, and later supply-chain distribution paths through developers with downstream customers. Linke… →
CoinStats
On June 22, 2024, CoinStats suffered a wallet breach attributed by the company to Lazarus Group or a related nation-state-level organization. The attacker gained unauthorized access across CoinStats infrastructure and service providers, exposing private k… →
JumpCloud
JumpCloud disclosed a targeted compromise of internal infrastructure after a spear-phishing campaign, with anomalous activity in its commands framework affecting a small set of customers and forcing credential rotation, infrastructure rebuilds, and custom… →
Bithumb#3
Bithumb disclosed a June 2018 cryptocurrency theft initially estimated at about 35 billion KRW, with the exchange covering losses from company reserves while moving customer assets to cold wallets and suspending cryptocurrency and KRW withdrawals during c… →
Bithumb#2
Bithumb disclosed that a 2017 hacking incident involving an employee personal PC exposed customer personal information, with later company reporting describing about 30,000 affected users and exposed names, email addresses, and phone numbers while stating… →
ChainSaw
On June 18 and June 23, 2025, Matt Furie and ChainSaw-linked NFT projects including Replicandy, Peplicator, Hedz, and Zogz were exploited after contract ownership was transferred to attacker-controlled wallet 0x9Fca. The attacker unpaused mints, minted NF… →
H0lyGh0st Ransomware
DEV-0530, a North Korea-origin ransomware cluster with suspected overlap with PLUTONIUM/Andariel tooling and infrastructure, used H0lyGh0st ransomware against small and midsize businesses from at least September 2021. The campaign encrypted Windows system… →
CoinTiger
CoinTiger is linked in U.S. virtual-currency forfeiture and UN Panel reporting to 2019 cryptocurrency-laundering activity connected to funds stolen from exchanges and other hacks. The available evidence places the Singapore-based exchange in the broader D… →
Vietnam Financial Institute
UN Panel evidence lists Vietnam among suspected DPRK cyber attacks on financial institutions and records an attempted theft of more than EUR 1 million through fraudulent SWIFT messages reported by Tien Phong Bank. The case is part of the same bank-theft p… →
RSupport
RSupport disclosed that one internal PC showed signs of malware infection and that a code-signing certificate used for file integrity verification may have been exposed, prompting revocation, replacement, and security-hardening measures with KISA support.… →
Nigerian Bank
The Nigerian Bank incident is listed among DPRK-linked BangSwift financial operations in broad U.S. indictment and UN sanctions reporting that described North Korean RGB-associated actors, including activity associated in security reporting with Lazarus G… →
Seoul Metro
Seoul Metro reported a multi-month compromise of office PC management infrastructure for subway lines 1 through 4, affecting 58 infected PCs, abnormal access involving 213 PCs, and loss of control over PC management and webzine servers. Investigators said… →