Mission Type
Financial theft for regime revenue, coercive destruction for political signalling, espionage
Primary Sectors
Operational Period
2009 – present
Attributed Cases
3
Attributed Cases
TTP Pattern Summary
Lazarus demonstrates unusual operational breadth: destructive wipers (Sony), self-propagating ransomware (WannaCry), and sophisticated financial system manipulation (SWIFT heists). The group frequently exploits trusted third-party relationships and supply chain vectors. Financial operations show deep knowledge of banking settlement systems and cryptocurrency infrastructure.
Behavioural Signature
Lazarus is uniquely driven by financial objectives alongside political ones, reflecting DPRK's use of cyber operations to fund sanctioned programmes. The group shows high risk tolerance and limited concern for collateral damage, as demonstrated by WannaCry's indiscriminate global spread. Target selection oscillates between high-profile political coercion and systematic financial theft.
Governance Footprint
Subject to US DOJ indictments (Park Jin Hyok, 2018; three additional operatives, 2021), Treasury sanctions, and extensive UN Panel of Experts documentation of DPRK cyber-enabled sanctions evasion. Lazarus operations have been pivotal to debates on state-sponsored financial cybercrime and vulnerability equities.