North Korea’s Lazarus Group — operating under direction of the Reconnaissance General Bureau (RGB) — has expanded its UK targeting footprint to include FCA-regulated cryptocurrency exchanges and the legal and compliance firms that service them. The campaign combines direct theft from exchange hot wallets with intelligence collection from law firms holding privileged information about digital asset clients, regulatory proceedings, and custody arrangements.
Cryptocurrency Exchange Targeting
Lazarus Group stole an estimated $1.7 billion in cryptocurrency in 2024 alone, according to Chainalysis. Their targeting methodology has been extensively documented under the FBI’s “TraderTraitor” campaign designation and involves a consistent approach:
LinkedIn social engineering. Employees at cryptocurrency exchanges are approached with unsolicited job offers from fake recruiters. The initial conversation is professionally credible; the “technical assessment” or shared document delivered mid-process contains malware. Victims are typically developers, engineers, or compliance staff with access to internal systems or private keys.
Trojanised development tools. Lazarus routinely delivers malware concealed within GitHub repositories, npm packages, or Docker images shared as part of a fake hiring or collaboration process. Developer targets with high system access are prioritised.
Hot wallet drain via compromised admin access. Once inside an exchange’s infrastructure, the group moves rapidly to enumerate key management systems and multi-sig wallet configurations. The Bybit exchange theft in February 2025 — $1.5 billion, the largest single cryptocurrency theft on record — was attributed to Lazarus and executed through exactly this pattern via a compromised Safe{Wallet} developer.
Law Firm Targeting
UK law firms providing legal services to cryptocurrency exchanges represent a secondary but strategically valuable target. Services in scope include:
- FCA authorisation support — firms with visibility over regulatory applications hold information about exchange owners, beneficial shareholders, and operational structures
- Litigation and enforcement matters — firms acting in crypto-related disputes or regulatory investigations hold sensitive counterparty information
- Custody and compliance advisory — firms providing custody structure advice hold information about key management and asset protection arrangements
Lazarus collection from law firms focuses less on immediate financial theft and more on building an intelligence picture of target exchange operators and their vulnerabilities.
UK Regulatory Context
The FCA’s expanded cryptocurrency regulatory regime — covering a broader set of digital asset activities following the Financial Services and Markets Act 2023 — means more UK-based exchanges are operating under formal oversight. This creates a larger and more concentrated pool of regulated targets.
FCA-authorised exchanges are required to maintain cyber security standards consistent with FCA guidance. Law firms advising them are in scope of SRA guidance on cyber security in high-risk practice areas.
Recommended Actions
- Warn technical and compliance staff about TraderTraitor job offer lures. Brief specifically on unsolicited LinkedIn outreach with technical assessments. This is not generic phishing — it is a highly targeted, credible social engineering campaign.
- Isolate key management systems. Environments hosting private keys or multi-sig coordination should be segregated from general corporate infrastructure and subject to the most stringent access controls.
- Apply code provenance controls. Review processes for accepting external code contributions, npm packages, or developer tooling. Require integrity verification before execution.
- Law firms: treat cryptocurrency client files as high-risk. Apply enhanced access controls and monitoring to matters involving digital asset clients, particularly those with FCA regulatory dimensions.