In a move that has sent ripples through the global cybersecurity and cryptocurrency landscapes, the Lazarus Group—North Korea’s state-backed cybercrime unit—now holds more Bitcoin than Elon Musk’s Tesla. The revelation, backed by data from blockchain analytics firm Arkham Intelligence, underscores an uncomfortable truth: the world’s most notorious hackers are amassing more digital wealth than some of the biggest names in tech.

Lazarus Hits 13,441 BTC

The Lazarus Group currently holds 13,441 Bitcoin (BTC), with an estimated value of $1.14 billion. These assets place them among the top three largest known holders of Bitcoin globally, trailing only behind MicroStrategy and Bitfinex.

In comparison, Tesla holds 11,509 BTC, valued at approximately $1.1 billion as of February 2025. Tesla’s initial $1.5 billion investment in Bitcoin, made in early 2021, was a defining moment for institutional crypto adoption. However, it has gradually reduced its holdings over time, while Lazarus has done the opposite—amassing more through illicit means.

That a sanctioned cybercrime group now outranks a publicly traded tech company in Bitcoin reserves is a sobering reality of today’s digital landscape.

Bybit Hack: The Largest Crypto Heist in History

The Lazarus Group’s sudden leap in BTC holdings ties directly to a $1.5 billion hack targeting Bybit, a major cryptocurrency exchange, in February 2025.

As reported in detail on The Review Hive, the group extracted billions in Ethereum (ETH) and rapidly began converting the stolen ETH into Bitcoin via obfuscated transaction chains. The laundering process involved decentralized exchanges, cross-chain bridges, and crypto mixers—leaving just enough trace to confirm their involvement.

This hack has overtaken all previous cryptocurrency thefts in scale, surpassing the 2014 Mt. Gox and 2018 Coincheck breaches.

Cryptocurrency: A Lifeline for Sanctioned States

Lazarus isn’t a rogue gang; it’s part of a state-sponsored network under North Korea’s Reconnaissance General Bureau. According to reports from the Federal Bureau of Investigation (FBI) and the United Nations (UN), crypto thefts by Lazarus are directly used to fund North Korea’s nuclear weapons and ballistic missile programs.

UN estimates suggest North Korea has generated more than $3.3 billion in crypto assets since 2017, with over $1.7 billion stolen in just the past 18 months alone.

The Lazarus Group’s crypto operations reflect a clear shift in state-level cyberwarfare tactics. Digital assets have become a strategic economic weapon for regimes isolated by global sanctions.

Beyond the Exchange: Android Spyware and Social Engineering

Lazarus’ tactics go beyond financial platforms. In early 2025, the group also deployed advanced spyware-laced Android apps disguised as tools on the Google Play Store, a strategy aimed at gathering intelligence on crypto users and developers.

These deceptive apps, detailed in our analysis of North Korean Android spyware, allowed Lazarus to target specific individuals for further exploitation. The spyware campaign leveraged social engineering and impersonation of legitimate crypto startups to infiltrate user devices undetected.

This multi-layered attack strategy—combining large-scale heists with individualized surveillance—reveals how far-reaching and methodical their operations have become.

Holding, Not Cashing Out

Unlike conventional hackers who often liquidate stolen assets quickly, Lazarus takes a more strategic approach. The group is known to hold on to large portions of stolen crypto, allowing assets to appreciate or be used at key moments.

By choosing to convert to and store Bitcoin, Lazarus taps into the most liquid and globally accepted cryptocurrency—making it harder to freeze and easier to leverage on a global scale.

Their crypto wallets reflect long-term on-chain activity, with periodic movement to fresh wallets or crypto mixers, indicating a strong understanding of blockchain forensics and a long-game mindset.

Why Current Security Standards Aren’t Enough

This event has highlighted the inadequacies in current cybersecurity and regulatory frameworks. While exchanges like Bybit have ramped up their internal monitoring, Lazarus’ success points to systemic issues in how digital assets are secured and traced.

Global regulators, including the Financial Crimes Enforcement Network (FinCEN) and the Financial Action Task Force (FATF), are again calling for tighter Know Your Customer (KYC) and Anti-Money Laundering (AML) policies, greater wallet transparency, and increased international cooperation. However, enforcing such measures across decentralized platforms and offshore exchanges remains an enormous challenge.

Cybercriminals exploit these jurisdictional blind spots, creating an environment where state-backed hackers can operate with relative impunity.

The Stakes Are No Longer Just Financial

The Lazarus Group holding more Bitcoin than Tesla is not just an alarming statistic—it’s a warning.

Digital assets have become a viable tool in modern geopolitical warfare. When a sanctioned regime’s cyber-arm becomes a top-3 Bitcoin whale, it forces us to reconsider the current structure of the crypto ecosystem.

Exchanges, decentralized finance (DeFi) protocols, and custodial services must invest in real-time threat intelligence, stronger user verification, and artificial intelligence (AI)-assisted anomaly detection. The margin for error is shrinking as cyber threats continue to evolve.

To Sum Up

The Lazarus Group’s position as one of the world’s largest Bitcoin holders is both an astonishing and disturbing development. It symbolizes the blurred lines between crime, statecraft, and finance in the digital age.

If the crypto industry doesn’t rapidly advance its defenses, it risks becoming the battleground for the next generation of cyber warfare, where power is measured not in tanks or satellites—but in Bitcoin.