Lazarus Group Targeting AI Models to Enhance Cryptocurrency Theft

Recorded Future reported in April 2026 that the Lazarus Group and other DPRK-linked actors are actively targeting AI models, such as Anthropic’s Claude Mythos, to enhance their cryptocurrency theft operations. The group employs various methods, including exploiting vulnerabilities in third-party contractor environments, fraudulent hiring schemes using fake developer personas on GitHub and LinkedIn, and supply chain attacks like the March 2026 LiteLLM compromise. These efforts aim to improve the efficiency of reconnaissance, social engineering, credential harvesting, and lateral movement during crypto exchange intrusions. The ultimate goal is to increase the amount of cryptocurrency stolen, which is then used to fund North Korea’s weapons programs. This poses a significant threat because even a modest productivity gain in these operations can lead to substantially higher revenues for the DPRK regime.

Attack Chain

1. Initial Reconnaissance: The attacker performs reconnaissance on targeted crypto exchanges and AI model providers using open-source intelligence and social media platforms like GitHub and LinkedIn to identify potential targets, including system administrators and developers.
2. Social Engineering & Phishing: The attacker crafts spear-phishing emails or fraudulent job offers, impersonating legitimate companies, to target employees at third-party vendors or crypto exchanges, aiming to harvest credentials.
3. Credential Harvesting: The attacker uses phishing campaigns and social engineering to harvest credentials, potentially employing AI tools to create more convincing fake personas or phishing emails.
4. Initial Access: Using stolen or synthetic credentials, the attacker gains initial access to a third-party vendor’s system or directly into the target crypto exchange’s network. This could involve accessing a cloud-based AI model like Claude Mythos via a compromised contractor account.
5. Lateral Movement: Once inside the network, the attacker performs lateral movement, leveraging compromised accounts and exploiting internal vulnerabilities to gain access to sensitive systems, such as Safe{Wallet} systems.
6. Key Extraction: The attacker focuses on extracting private keys and other sensitive information necessary to access and transfer cryptocurrency.
7. Cryptocurrency Theft: Using the stolen keys, the attacker initiates unauthorized cryptocurrency transfers from the exchange’s wallets to attacker-controlled accounts.
8. Money Laundering: The stolen cryptocurrency is laundered through various mixing services and exchanges to obfuscate the source of funds and convert it into usable currency.

Impact

The Lazarus Group’s successful cryptocurrency heists have resulted in billions of dollars stolen, with estimates reaching over $2 billion in 2025 alone. These funds are directly used to finance North Korea’s WMD and ballistic missile programs, undermining international sanctions and posing a significant national security threat. The attacks targeting AI models could lead to more efficient and sophisticated cyberattacks, further exacerbating the problem and increasing the financial resources available for weapons development. Bybit was one victim of these attacks, losing approximately $1.5 billion in virtual assets.

Recommendation

• Implement behavioral monitoring and least-privilege access controls for third-party vendors to mitigate the risk of contractor misuse, as highlighted in the Mythos incident.
• Enhance identity verification processes during hiring, including in-person interviews, to prevent fraudulent hiring schemes, as detailed in the Inside the Scam report.
• Monitor build-pipeline integrity and dependencies to defend against supply chain compromises, referencing the TeamPCP LiteLLM compromise.
• Deploy the Sigma rule “Detect Suspicious Bybit Activity” to monitor for potential malicious activity targeting the Bybit exchange.
• Implement telemetry and canaries within AI preview infrastructure to detect unauthorized access attempts, as recommended by Recorded Future.