Lazarus Group Turns South Korea Into a Crypto Crime Battleground

North Korean-linked hackers have turned South Korea into one of crypto’s most active battlegrounds, with the Lazarus Group tied to major exchange breaches, laundering pipelines, and scam networks that keep evolving faster than enforcement can lock them down.

• Lazarus Group linked to 6 of 9 major South Korean exchange hacks
• More than $120 million confirmed stolen
• $7.1 billion in illicit crypto transactions flagged in South Korea
• Hwanchigi, insider infiltration, P2P laundering, and pig-butchering scams all in play

Crystal Intelligence’s South Korea Country Assessment Report paints a blunt picture: South Korea is not just dealing with crypto hacks, but with a full-stack criminal ecosystem built around theft, laundering, fraud, and regulatory whack-a-mole. It’s a nasty mix of hostile state actors, organized laundering networks, and retail scammers who will gladly drain anyone dumb or hopeful enough to take the bait.

Lazarus Group and South Korea’s crypto exchange hacks

According to the report, North Korea’s state-backed Lazarus Group has been linked to six of nine major exchange breaches involving South Korean platforms between 2017 and 2025. Confirmed thefts across those incidents topped $120 million, while total losses were estimated between $196 million and $225 million. One November 2025 exchange attack reportedly caused around $30.4 million in losses and is still under investigation. Earlier examples included a $49 million Ethereum theft in 2019 and a $100 million cross-chain exploit in 2022.

That’s bad enough on its own, but the bigger picture is even uglier. Chainalysis, CertiK, and Elliptic estimated that DPRK-linked hackers stole about $2.02 billion in 2025 alone. That represented nearly 60% of the roughly $3.4 billion stolen across the crypto sector globally that year.

Call it cybercrime if you want, but this has the scale and persistence of a state-backed revenue stream. Sanctions create pressure. Crypto provides an outlet. Bad actors exploit it. Rinse, repeat, and try not to get caught.

One of the more worrying shifts is the move toward insider infiltration. North Korean hackers are increasingly placing IT workers inside exchanges and crypto firms, which means the threat isn’t always a clipboard-and-hoodie outsider smashing at the front door. Sometimes it’s the person already inside the building, badge on, Slack open, and access privileges in hand. Firewalls do not help much when the problem is wearing a company shirt.

Elliptic and Chainalysis also linked the massive Bybit exploit to DPRK actors, estimating losses at $1.46 billion to $1.5 billion. If that attribution holds, it ranks among the largest digital thefts ever recorded. For anyone still insisting crypto crime is just a fringe issue, the numbers have already carried that argument out back and buried it.

Why South Korea is such a juicy target

South Korea has a large, active crypto market and a dense exchange ecosystem, which makes it attractive to thieves and launderers alike. The country also enforces some of the strictest compliance rules in the region, which sounds great on paper and does help reduce casual abuse. But strict rules can also push criminal activity into more creative channels. Criminals, as always, are not known for their respect for policy memos.

The report says South Korea saw $7.1 billion in illegal crypto transactions between 2021 and August 2025. Of that, $6.4 billion was tied to Hwanchigi, a cross-border laundering structure that moves money into crypto offshore, through South Korean exchanges, and then cashes out in won.

Hwanchigi is difficult to track because it spreads funds across multiple jurisdictions and often relies on nominee-controlled accounts. In plain English, that means the real owner hides behind someone else’s name, which adds layers of confusion for investigators and compliance teams trying to follow the money trail.

South Korean customs authorities dismantled a $113 million Hwanchigi network in January 2026 after a four-year probe, which gives a sense of how entrenched these systems can become before they’re finally torn down. In another case, two Russian nationals were allegedly involved in processing more than 6,000 transactions worth $42 million. Different players, same dirty job: move illicit money without leaving a clean trail.

Crystal Intelligence also reviewed 247 P2P ads across four platforms in March 2026 and found settlement methods using Alipay, Wise, Western Union, and M-Pesa. These channels operate outside South Korea’s real-name verification rules, which makes tracing much harder.

P2P laundering refers to person-to-person trading that bypasses some of the controls used by regulated exchanges. It’s one of those methods that looks simple until you realize it’s basically a criminal’s favorite shortcut around compliance.

Monero appeared in several listings and was flagged as high-risk for laundering. That does not make privacy tools inherently bad. Privacy is a legitimate feature, not a felony. But when you’re trying to hide dirty money, a privacy coin can become the digital equivalent of slipping out the back door while everyone’s distracted by the fire alarm.

When crypto crime goes offline

Not all of this activity happens on-chain. Telegram and Instagram channels were used to arrange large in-person cash crypto trades in Seoul districts including Gangnam, Yeoksam, and Seocho. That’s a reminder that crypto crime is not always some abstract blockchain problem floating in the cloud. A lot of it is still old-fashioned cash, human coordination, and bad intentions with a smartphone.

The report also shows how the scam economy feeds the same ecosystem. Pig-butchering scams caused $70.6 million in losses in 2025 across 1,565 incidents, up 48% from the previous year.

Pig-butchering is a long-con fraud where criminals build trust over time before steering victims into fake crypto investments and draining them. The name is grotesque because the scam is grotesque: the victim is “fattened up” emotionally before being stripped clean. It’s manipulative, patient, and depressingly effective.

About 1,000 South Koreans were linked to scam compounds in Cambodia, Myanmar, and Laos. In January 2026, 73 South Korean nationals were repatriated from a deepfake-driven fraud operation that allegedly targeted more than 860 victims and stole around $33 million. Another 64 nationals were repatriated from Cambodia in October 2025.

Deepfakes have made the scam machine even uglier. Fake faces, fake voices, fake authority — all wrapped up in a convincing enough package to shove victims deeper into the trap. It’s the same old confidence game, just with better graphics and less shame.

South Korea’s regulatory response

South Korea has not exactly sat on its hands. Virtual asset service providers must register with the Korea Financial Intelligence Unit and maintain real-name verified bank accounts connected to domestic banks. That framework is meant to make laundering more difficult by tying exchange activity to identified bank accounts instead of anonymous ones.

“All virtual asset service providers must register with the Korea Financial Intelligence Unit and maintain real-name verified accounts connected to domestic banks.”

In March 2026, the Korea Financial Intelligence Unit imposed a $24.6 million fine and a six-month partial suspension over more than 6.65 million alleged anti-money laundering violations. Then in May 2026, the Seoul Administrative Court overturned the suspension.

That reversal highlights a familiar tension. Regulators want tougher controls. Courts want due process. Markets want freedom. Criminals want all the loopholes. Welcome to the party.

Stronger compliance rules absolutely help. They force exchanges to tighten controls, raise the cost of sloppy abuse, and reduce the easy routes for low-effort criminals. But they are not a magic shield. Criminal networks adapt by using offshore settlement, insiders, P2P markets, nominee accounts, privacy coins, and social platforms that sit outside the standard compliance perimeter.

The real lesson for crypto

South Korea has become a case study in what happens when state-backed hackers, laundering syndicates, and retail scammers all converge on a highly active crypto market. Blockchain transparency is powerful, but it is not magical. Tracing tools can uncover a lot. Customs probes matter. AML rules matter. Real-name verification matters. None of it is enough on its own if the human layer keeps getting exploited.

The uncomfortable truth is that crypto security is not only about code. It is also about personnel, incentives, jurisdictional arbitrage, and plain old greed. If someone can steal funds, move them across borders, split them through nominee accounts, and cash out through informal channels, then the chain may be public, but the crime is still very much alive.

That’s the hard edge of decentralization: it gives people freedom, but it also gives criminals room to maneuver. The technology is not the villain. The villain is the state-backed hacker, the laundering middleman, the scammer running a fake romance, and the “trusted insider” who turns out to be anything but.

• What is Lazarus Group doing in South Korea?
  It has been tied to most major South Korean exchange breaches since 2018, targeting platforms for theft and access.
• How serious is North Korea’s crypto theft operation?
  Extremely serious. DPRK-linked hackers were estimated to have stolen about $2.02 billion in 2025, making them one of the biggest threats in global crypto crime.
• What is Hwanchigi?
  It is a cross-border laundering method that moves money into crypto offshore, routes it through South Korean exchanges, and cashes out in won.
• Why is this laundering so hard to stop?
  It uses multiple jurisdictions, nominee-controlled accounts, and P2P channels that can fall outside normal exchange oversight.
• Are scams a major part of the problem?
  Yes. Pig-butchering scams, deepfake fraud, and offshore scam compounds are a major and growing part of South Korea’s crypto crime problem.
• Does real-name verification solve the issue?
  No. It helps, but criminals still exploit insiders, offshore services, privacy coins, and informal trade channels.
• What does this mean for crypto users?
  It’s a reminder to treat custody, counterparties, and platform risk seriously. Bad actors do not care whether the tech is elegant if they can still steal the money.