The Lazarus Group, notorious for its cyber warfare operations and its ties to North Korea, has reportedly intensified its cyberattacks on cryptocurrency, particularly targeting developers. Over the past few months, the group has been found to be tampering with malicious npm packages, which steal credentials, siphon off cryptocurrency wallet data, and establish a persistent backdoor in development environments. This development signifies a significant escalation in their ongoing cyberwarfare activities, which have included some of the largest cryptocurrency heists in history.
A recent investigation by the Socket Research Team revealed that a branch of the Lazarus Group has infiltrated the npm repository, a prevalent package manager for JavaScript developers. The hackers utilized typosquatting techniques to publish malicious versions of popular npm packages, tricking unsuspecting developers into downloading the programs. These compromised packages include is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator.
Upon execution, these tainted packages install BeaverTail malware, an advanced tool capable of stealing login credentials, scouring browser files for saved passwords, and extracting files from cryptocurrency wallets such as Solana and Exodus. It was noted by security researchers that the expropriated data were transmitted to a hardcoded command-and-control (C2) server, a standard method used by the Lazarus Group to relay stolen data back to their operatives.
“Lazarus Group’s primary objective is to steal and transmit compromised data without detection. This is particularly threatening in the field of developers building financial and blockchain applications,” says Kirill Boychenko, a threat intelligence analyst at Socket Security.
Moreover, Lazarus Group is suspected to be behind one of the largest recorded cryptocurrency thefts. On February 21, 2025, hackers supposedly linked to the group breached Bybit, one of the world’s largest crypto exchanges, and made off with an estimated $1.46 billion in crypto assets. The attack was highly sophisticated, allegedly originating from a compromised device of a Safe{Wallet} employee, a technology partner of Bybit.
By the time Bybit addressed the issue, 20% of the stolen funds had already been laundered through mixing services and rendered untraceable, according to CEO Ben Zhou.
These recent attacks are part of North Korea’s broader strategy to circumvent international sanctions by stealing and laundering cryptocurrency. A 2024 United Nations report stated that North Korean cybercriminals accounted for over 35% of global cryptocurrency thefts over the past year, amassing over $1 billion in stolen assets.
The Lazarus Group’s tactics have evolved over the years, moving from direct exchange hacks to supply chain attacks and now to developer and software repository attacks. By adding backdoors to open-source platforms like npm, PyPI, and GitHub, the group increases its potential attack radius to several systems, circumventing the need for direct exchange hacks.
In response to this escalating threat, cybersecurity specialists are advocating for stricter security measures for developers and cryptocurrency users. These measures include verifying the authenticity of npm packages before installation and utilizing tools like the Socket AI Scanner to detect anomalies in software dependencies or npm audit.
Following the Bybit incident, the exchange implemented a Recovery Bounty Program, offering rewards of up to 10% of the recovered funds. Despite these efforts, network defenders warn that the war on cryptocurrency is far from over, as the Lazarus Group’s tactics continue to evolve at an alarming pace.
