Skip to main content

Cold Wallet Security Crisis: How Lazarus Group's Month-Long Preparation Attacks Are Defeating Crypto's Strongest Defenses

· 9 min read
Dora Noda
Dora Noda
Software Engineer

Your cold wallet is not as safe as you think. In 2025, infrastructure attacks — targeting private keys, wallet systems, and the humans who manage them — accounted for 76% of all stolen cryptocurrency, totaling $2.2 billion across just 45 incidents. The Lazarus Group, North Korea's state-sponsored hacking unit, has perfected a playbook that renders traditional cold storage security almost meaningless: month-long infiltration campaigns that target the people, not the code.

The Shift Nobody Saw Coming: From Code Exploits to Human Exploits

For years, the crypto industry poured billions into smart contract audits, formal verification, and bug bounties. The assumption was simple: secure the code, secure the funds. But while developers hardened on-chain logic, attackers pivoted to a far softer target — the humans operating the infrastructure.

According to TRM Labs' 2026 Crypto Crime Report, attack vectors underwent a structural shift in 2025. Infrastructure attacks — compromises of private keys, seed phrases, wallet orchestration systems, privileged access, and front-end interfaces — drove $2.2 billion in losses across 45 incidents, averaging approximately $48.5 million per incident. Smart contract exploits, once the dominant threat, became secondary.

North Korean hackers led this transformation. The Lazarus Group (also known as TraderTraitor) stole $2.02 billion in cryptocurrency in 2025, a 51% year-over-year increase, despite conducting 74% fewer known attacks. The math is chilling: fewer operations, vastly larger payoffs, and a strategic focus on cold wallet infrastructure at centralized exchanges.

Anatomy of a Month-Long Attack: The Bybit Case Study

The February 2025 Bybit heist — $1.5 billion in ETH stolen in a single operation — is the definitive case study in how Lazarus Group compromises cold wallets. The attack was not a hack in the traditional sense. It was a carefully orchestrated supply chain infiltration that unfolded over weeks.

Phase 1: Social Engineering the Supply Chain

Lazarus did not target Bybit directly. Instead, they identified a developer at Safe{Wallet} (formerly Gnosis Safe), the third-party multisig platform Bybit relied on for cold wallet management. Using social engineering — likely a combination of fake job offers, investment pitches, and prolonged professional conversations — the attackers compromised the developer's workstation.

Phase 2: Credential Harvesting and Lateral Movement

Once inside the developer's machine, the attackers extracted AWS session tokens, bypassing multi-factor authentication entirely. They moved laterally into Safe{Wallet}'s AWS infrastructure, gaining access to the deployment pipeline that served the wallet's user interface to clients like Bybit.

Phase 3: UI Manipulation and Transaction Hijacking

With access to the deployment system, Lazarus injected malicious JavaScript into the Safe{Wallet} interface. When Bybit CEO Ben Zhou initiated what appeared to be a routine cold-to-hot wallet transfer, the manipulated UI displayed a legitimate-looking transaction. Behind the scenes, the code redirected over 400,000 ETH to Lazarus-controlled wallets. All multisig signers approved the transaction — they had no way to detect the manipulation through the compromised interface.

Phase 4: Rapid Laundering

Within 48 hours, at least $160 million of the stolen funds were laundered through THORChain and "Chinese laundromat" OTC networks — professionalized underground brokers that absorb stolen assets and settle off-chain.

The Preparation Playbook: Weeks of Invisible Reconnaissance

What makes Lazarus Group uniquely dangerous is the patience and depth of their preparation. The FBI's Internet Crime Complaint Center (IC3) has documented their methodology in detail.

Fake Recruiters and Extended Social Engineering

Lazarus operatives create polished LinkedIn profiles posing as recruiters, venture capitalists, or potential business partners. They engage targets in conversations that stretch over weeks, conducting fake pitch meetings and due diligence calls. During these interactions, they ask detailed questions about internal systems, security practices, and infrastructure workflows — quietly mapping out where access might be weakest.

Infiltration Through Employment

In 2024, more than a dozen crypto companies were infiltrated by North Korean hackers who posed as legitimate IT workers to gain access to internal systems. These operatives used fake identities to land remote positions at tech and crypto firms, earning salaries that funded the regime while gathering intelligence for future attacks.

AI-Enhanced Deception

Since at least October 2024, Lazarus has integrated AI-driven techniques into their operations. AI-generated content and images enhance the credibility of fake websites and social profiles. Deepfake technology enables impersonation during video calls. AI-crafted phishing messages are highly personalized, referencing specific projects and internal terminology that only someone with insider knowledge would use.

Developer Environment Compromise

Lazarus frequently distributes malware through fake "coding tests" or compromised npm packages. Once a developer's workstation is compromised, the attackers extract SSH keys, browser cookies, cloud tokens, and session credentials to move laterally through infrastructure systems. In one campaign, a zero-day Chrome vulnerability was exploited through a legitimate-looking gaming website to deploy malware targeting crypto developers.

Why Cold Wallets Are Not Enough

The Bybit attack exposed a fundamental misconception: cold storage is a technology, but security is an operational problem. A cold wallet with keys stored offline is only as secure as the signing workflow, the interfaces used to construct transactions, the humans who approve them, and the supply chain of software they depend on.

The Multisig Illusion

Traditional multisig wallets like Safe{Wallet} require multiple signers to authorize a transaction — creating the appearance of robust security. But if all signers interact with the same compromised interface, multisig provides no additional protection. The Bybit attackers did not need to steal private keys. They only needed to make legitimate signers approve a malicious transaction.

Supply Chain Dependencies

Centralized exchanges rely on third-party wallet providers, cloud infrastructure, signing services, and deployment pipelines. Each dependency is an attack surface. Lazarus Group specifically targets these upstream providers because compromising one developer at a wallet provider can unlock access to billions of dollars across multiple exchanges.

The New Hire Vulnerability

Research from Keepnet Labs shows that new employees are 44% more likely to fall victim to phishing during their first 90 days. In the fast-moving crypto industry, where hiring is aggressive and onboarding often rushed, this creates a persistent vulnerability that Lazarus actively exploits.

The Industry's Response: From Multisig to MPC

The Bybit heist forced a reckoning. Most top-tier exchanges have now migrated or are actively migrating from traditional multisig wallets to Multi-Party Computation (MPC) technology.

How MPC Changes the Game

MPC splits private keys into multiple encrypted shards distributed across separate parties and environments. Unlike multisig, the complete key never exists in any single location — not even during the signing process. This architecture makes the "UI spoofing" and "ice phishing" techniques used by Lazarus nearly impossible to execute.

Key advantages of MPC for cold wallet security include:

  • No single point of compromise: Key shards are generated and stored independently, so compromising one party does not expose the full key
  • Seedless recovery: Eliminates the seed phrase vulnerability that attackers frequently target
  • Key rotation without address changes: Allows regular key refresh without disrupting blockchain addresses
  • Hardware-backed enforcement: When combined with HSMs (Hardware Security Modules), signing operations occur within tamper-resistant hardware that wipes secrets upon physical breach

The HSM Layer

Enterprise-grade implementations combine MPC with HSMs certified under FIPS 140-2 and -3. These devices never expose private keys to external memory, enforce rate limits on signing velocity (for example, capping withdrawals at 1,000 BTC per hour), and maintain audit-ready logs of every key operation. IBM's Offline Signing Orchestrator (OSO) exemplifies this approach, keeping private keys and signing processes entirely offline while supporting hot, warm, and cold operational tiers.

The Hybrid Future

The emerging consensus points toward hybrid architectures: MPC for institutional custody and key distribution, TEE (Trusted Execution Environments) for user-facing operations, and HSMs for the most security-critical signing workflows. Account abstraction further decouples signers from accounts, enabling multi-level approval workflows that mirror traditional corporate governance.

Defensive Strategies for 2026

The FBI, Chainalysis, and leading security firms have converged on a set of defensive recommendations:

Operational Security

  • Implement strict access controls and infrastructure segmentation so that compromising one system does not grant access to signing infrastructure
  • Require transaction approvals from multiple parties across physically separated, unconnected networks
  • Enforce hardware-backed authentication (YubiKey or similar) — never SMS or app-based 2FA for privileged operations
  • Schedule quarterly security reviews and apply patches immediately upon release

Human Layer Defenses

  • Adopt "radical skepticism" as policy: assume every unsolicited message is a potential social engineering attempt
  • Extend onboarding security training, particularly during the first 90 days when employees are most vulnerable
  • Verify all communications through established internal channels — never act on requests received through external messaging platforms
  • Do not store seed phrases, private keys, or wallet credentials on any internet-connected device

Supply Chain Hardening

  • Audit and monitor all third-party wallet providers, signing services, and deployment pipelines
  • Implement code signing and integrity verification for all software in the transaction workflow
  • Restrict access to sensitive code repositories, network documentation, and infrastructure configurations
  • Use dedicated, air-gapped machines for transaction signing — computers that have never been connected to the internet

Insurance and Recovery Planning

  • Obtain crypto-specific insurance for digital assets (major custodians now offer coverage ranging from $100 million to $1 billion)
  • Maintain incident response plans that account for supply chain compromises, not just direct breaches
  • Monitor blockchain analytics for anomalous transaction patterns that could indicate compromised signing workflows

The Arms Race Ahead

Looking into 2026, security experts warn that the threat landscape will intensify. AI-enhanced social engineering is becoming more automated and convincing. Phishing-as-a-service tools drove a 1,400% year-over-year surge in impersonation scams. North Korean operatives are expanding beyond centralized exchanges into decentralized finance and privacy coins.

The uncomfortable truth is that the crypto industry's security model has been backward. It spent years fortifying code while leaving humans — the actual attack surface — relatively unprotected. The Lazarus Group's month-long preparation attacks prove that security is not a product you buy. It is an ongoing operational discipline that must encompass every person, process, and dependency in the chain between a private key and a signed transaction.

The exchanges that survive the next Bybit-scale attack will be those that treat their signing infrastructure as a military-grade operation: compartmentalized access, zero-trust verification, hardware-enforced limits, and the assumption that every human in the chain is a potential point of compromise — not because they are untrustworthy, but because they are human.

Building secure blockchain infrastructure requires enterprise-grade reliability at every layer. BlockEden.xyz provides high-availability RPC endpoints and API services across 20+ blockchain networks, with the operational security and monitoring that institutional applications demand. Explore our API marketplace to build on infrastructure designed for resilience.

Share on Twitter