$1.4 Billion in Damages and Neural Networks: A 2026 Cyberattack Scenario Involving AI Uncovered
Why 2026 could be a turning point for crypto-security, and the role Lazarus Group is set to play.
Why 2026 could be a turning point for crypto-security, and the role Lazarus Group is set to play.
The North Korean hacker group Lazarus is intensifying targeted phishing attacks on cryptocurrency platforms and private investors, earning hundreds of millions of dollars in the process. According to an AhnLab report, in 2026, threat actors will focus on even more sophisticated spear-phishing campaigns and begin actively using AI, deepfakes, and techniques to bypass security systems.
The Lazarus Group is considered one of the most dangerous cybercriminal groups, responsible for a series of high-profile attacks on the cryptocurrency market. Researchers point to the theft of $1.4 billion from the Bybit exchange on February 21, 2025, and the hack of Upbit resulting in $30 million in damages. In total, Lazarus is attributed with thefts exceeding $1.4 billion in the crypto sector alone, and that's just in recent years. The group is linked to North Korean intelligence services, meaning it has virtually unlimited resources to develop and refine new hacking schemes.
Lazarus's primary weapon is spear-phishing – targeted phishing that differs significantly from mass, generic spam campaigns. Before an attack, perpetrators research the victim: gathering information from social media, LinkedIn profiles, past correspondence, and public appearances. Based on this data, they forge emails mimicking real invitations to lectures or conferences, job offers, or interview requests. Such emails appear convincing on the surface, containing correct forms of address and details that are hard to dismiss as spam. One click on a link or opening an attachment—and malicious software infects the device, stealing credentials or giving hackers access to the corporate network.
The AhnLab report for the period from October 2024 to September 2025 notes that Lazarus was mentioned in 31 analyses of already occurred attacks, surpassing other active groups like Kimsuky (27 mentions) and TA-RedAnt (17 mentions). Lazarus's targets extend far beyond crypto exchanges: financial institutions, IT companies, and even the defense industry fall under fire. Experts emphasize that the human factor—employees and users who trust "believable" emails—plays a decisive role in the success of such operations.
In the crypto environment, such attacks are especially devastating: transactions are irreversible, and asset prices change rapidly. Compromising a wallet, exchange account, or internal platform systems can result in the leakage of millions of dollars within minutes. According to AhnLab's observations, Lazarus's resilience is explained not only by its members' skills but also by a constant influx of resources—both technical and financial.
AhnLab stresses that over the past 12 months, Lazarus has consistently maintained its position as one of the primary threats to crypto exchanges. The report states that the Bybit and Upbit incidents alone collectively brought perpetrators over $1.43 billion. The scenario is often repeated: the victim receives a carefully crafted email, clicks a link, enters their data, or launches an attached file—thereby opening a path for hackers to the exchange's systems or their own assets.
Against the backdrop of the growth of such attacks, experts increasingly speak of the need for not only technical but also behavioral security measures. For regular users, basic rules remain unchanged: always verify the sender through an independent channel (e.g., via the company's official website or its contact numbers), enable multi-factor authentication on all services related to cryptocurrency, and encrypt traffic, especially during financial operations. It is also recommended not to click on suspicious links or open attachments from unknown or "overly persistent" contacts, and to keep systems and applications up to date by promptly installing security updates.
A separate set of recommendations concerns protection against spear-phishing in crypto transactions. Experts advise limiting the amount of personal information available online—the less perpetrators know about your position, habits, and contacts, the harder it is for them to prepare a truly convincing email. In case of any doubt, it's worth verifying the message another way: call the sender, write in a messenger, or contact through an official support channel, rather than directly replying to a suspicious email.
For organizations, user discipline alone is insufficient—a comprehensive, multi-layered defense is required. AhnLab speaks of the need for regular security audits, strict control over update installations, abandoning outdated systems, and continuous employee training in recognizing phishing and social manipulation. Analysis of incidents in 2025 shows that attackers from Lazarus, Kimsuky, and TA-RedAnt often exploit human errors and vulnerabilities in long-unupdated software.
AhnLab specialists also recommend that companies and private users rely only on official software sources, avoid downloading programs from dubious sites, and not open files received from unknown senders. Having modern antivirus software and anomaly detection systems helps catch unusual activity—from remote access attempts to suspicious crypto wallet operations. At the corporate network level, this can include infrastructure segmentation, a strict access rights system, and monitoring internal data movements.
A particular concern is the role of artificial intelligence in future attacks. According to AhnLab's forecasts, by 2026, AI will become a standard tool for threat actors: it will be used to mass-generate realistic phishing sites and emails without typical grammatical errors, as well as create numerous variants of malicious code to bypass antivirus software and analysis systems.
Special attention is given to deepfake technologies: video and audio "featuring" company executives, well-known experts, or purported exchange employees could be used to increase trust in fake requests and links. In their report, AhnLab analysts warn that deepfake attacks will evolve to a level where it becomes extremely difficult for victims to distinguish a fake from reality. This heightens the risk of confidential data leaks and makes measures for information protection and monitoring of anomalous account and system behavior particularly important.
