Egidio
Report · 2026

Documented criminal networks: the Lazarus case

Not every fraud is a small operation — some are run by structured groups, named and documented by federal agencies and security firms. Here's one particularly well-tracked case.

Who documents this group

The group known as Lazarus (one of its subgroups is identified as "TraderTraitor") is jointly tracked by several US agencies and security firms, with named, dated public advisories — not rumors.

April 2022
Joint advisory from the FBI, CISA (the US cybersecurity agency) and the US Treasury, attributing TraderTraitor's activity to the Lazarus group.
2023
The US Department of Justice announces the seizure of more than $15 million in crypto assets stolen by the group across four exchanges.
May 2024
Theft of $308 million from the DMM Bitcoin exchange — attributed to TraderTraitor by the FBI and Japan's National Police Agency (NPA).
Late 2024
Theft of $1.5 billion from the Bybit exchange — publicly attributed by the FBI to North Korean TraderTraitor actors.
2025
Microsoft and Google Threat Intelligence / Mandiant document a separate angle: operators posing as fake remote developers or freelance contractors, infiltrating real companies to steal crypto assets or intellectual property.
$1.5B
Theft attributed to the group on the Bybit exchange, late 2024.
FBI, public attribution, late 2024. Accessed 07/14/2026.
$308M
Theft from the DMM Bitcoin exchange, May 2024.
FBI & Japan's National Police Agency (NPA), May 2024. Accessed 07/14/2026.

The method: infiltrate, not just hack

What sets this arm of the group apart is that it doesn't just attack from the outside: operators get hired as real employees or contractors — fake resumes, fake identities, successfully passed interviews — to gain legitimate access to the company's systems. Once inside, they can siphon funds, steal intellectual property, or install malicious tools.

Why this case matters, even without a direct link to your inbox

Most scams an individual receives have no direct link to this particular group. But this case illustrates how structured organized fraud has become: no longer isolated individuals, but networks with documented methods that later spread into more common scams — fake recruiters, social engineering, fake profiles.

🔒 Whether the threat comes from an organized group or a lone scammer, the principle for protecting yourself stays the same: spot the pattern, not just the isolated message. That's exactly what Medusa, Egidio's engine, does. See how it works.

Frequently asked questions

Who documents the Lazarus group's activities?

Named public and private bodies: the FBI, CISA and the US Treasury (joint advisory), the US Department of Justice (seizures), plus Microsoft and Google Threat Intelligence / Mandiant on the company-infiltration side.

How does this group get into real companies?

By posing as remote developers or freelance contractors, with fake profiles and fake identities, to gain legitimate access to the hiring company's systems.

What's the link to the scams an individual receives?

No direct link for most victims of ordinary cold-calling or phishing — but this case illustrates just how structured organized fraud has become as an industry, with techniques (social engineering, fake profiles) that later filter down into more common scams.

Go further