APT38 — Bluenoroff
Executive Profile (BLUF)
APT38 — commonly referred to under the Kaspersky-origin name Bluenoroff — is the financial-crime specialist sub-cluster of the Lazarus Group umbrella, operating under the Reconnaissance General Bureau (RGB)‘s 3rd Bureau (Lab 110, the unit historically known as Bureau 121). Mandiant’s October 2018 report “APT38: Un-usual Suspects” was the analytic act that separated the financial cluster from the broader Lazarus body on the basis of unique tooling, distinctive operational tempo, and a singular mission: hard-currency generation for the sanctioned DPRK state.
On September 13, 2019, OFAC formally designated Bluenoroff alongside Lazarus and Andariel as a sanctioned sub-component of the Reconnaissance General Bureau (RGB) (Treasury press release sm774), citing in plain text that the group “was formed by the North Korean government to earn revenue illicitly in response to increased global sanctions.” Mandiant assesses APT38 has operated against banks in at least 38 countries. The cluster is responsible for the SWIFT-fraud campaign of 2014–2019 — including the Bangladesh Bank heist of February 2016 — and from 2020 forward pivoted decisively to the cryptocurrency ecosystem, where its activity overlaps with the TraderTraitor behavioural cluster tracked by CISA (AA22-108A).
MITRE ATT&CK tracks the group as G0082.
Organizational Structure / Parent Hierarchy
[[Reconnaissance General Bureau (RGB)]]
└── 3rd Bureau — Foreign Intelligence / Technical
└── Lab 110 (ex-Bureau 121, per Mandiant 2023 lineage update)
└── APT38 / Bluenoroff — financial-crime specialist sub-cluster
Parent umbrella: Lazarus Group (analytic umbrella; not a single unit — see that note). Direct organisational parent: Reconnaissance General Bureau (RGB) / 3rd Bureau / Lab 110.
Naming taxonomy:
| Source | Name |
|---|---|
| Mandiant | APT38 |
| Kaspersky GReAT (originator) | Bluenoroff |
| CrowdStrike | STARDUST CHOLLIMA |
| Microsoft (current, weather taxonomy) | SAPPHIRE SLEET |
| Microsoft (legacy) | (subset of ZINC) |
| Secureworks | NICKEL GLADSTONE |
| Treasury (OFAC) | Bluenoroff (designated Sept 13, 2019) |
| MITRE ATT&CK | G0082 |
| CISA behavioural cluster (crypto-era) | TraderTraitor (AA22-108A) |
APT38 / Bluenoroff is best understood as the revenue-mission specialisation within Lab 110. Where the broader Lazarus Group umbrella encompasses destruction, espionage, and revenue, APT38 is specifically the unit whose tooling, victimology, and operational tempo are calibrated to large-scale financial fraud. This boundary justified its separation from the umbrella in Mandiant’s 2018 analytic taxonomy and OFAC’s distinct designation in 2019.
Mission & Targeting
Singular mission: earn hard currency for the DPRK state at scale, outside the formal financial system the regime is sanctioned out of.
Two operational eras:
- SWIFT era (2014–2019) — Targeted central banks, commercial banks, and SWIFT-connected financial institutions in at least 38 countries, with concentrations in South and Southeast Asia, Latin America, and Africa. Selection logic: banks with SWIFT terminals, weaker security maturity, and accessible USD nostro accounts.
- Cryptocurrency era (2020 onward) — Pivoted after SWIFT-community hardening (post-2017 Customer Security Programme) made the bank-fraud chain progressively less productive. Targets: centralised exchanges (Bybit 2025, KuCoin 2020, Coincheck 2018 attributed in some assessments), DeFi bridges (Ronin 2022, Harmony Horizon 2022), retail wallets via AppleJeus-style trojanised trading apps, and crypto-firm employees via Lazarus Group-shared “Dream Job” lures.
Targeting tradecraft features:
- Heavy reconnaissance of victim institution’s SWIFT operator workflows, message-validation steps, and reconciliation procedures.
- Pre-positioned access (sometimes for months) before transaction execution.
- Coordinated execution against weekend / holiday windows to delay anti-fraud response.
- Cover-track tooling specifically designed to disrupt SWIFT logs and printer outputs at the victim institution.
Capabilities & TTPs
SWIFT-era specialised tooling (Mandiant, BAE Systems, Symantec post-Bangladesh forensics):
- EVTDIAG — manipulator of SWIFT Alliance Access transaction database.
- MSOUTC — secondary monitoring/manipulation tooling.
- MSDELETE — selective log-deletion against SWIFT message stores.
- DRIDEX-pattern droppers, custom loaders, and victim-network reconnaissance scripts.
- Printer-disabling components — to suppress the paper audit trail the Bangladesh Bank SWIFT terminal would otherwise have generated (a tradecraft signature: APT38 understood the analog-control layer of the victim’s anti-fraud posture).
Crypto-era tooling:
- AppleJeus — multi-generation trojanised cryptocurrency trading applications (Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio); cross-platform (Windows and macOS).
- TraderTraitor activity (CISA AA22-108A) — trojanised crypto apps for engineer-targeting at exchanges and DeFi firms.
- RustBucket, KandyKorn — macOS post-exploitation toolchains (some attribution shared with Lazarus core).
- Smart-contract exploitation — Ronin Bridge validator-key compromise; Harmony Horizon multi-sig compromise.
Tradecraft features:
- Patience and pre-positioning — Bangladesh Bank operators were inside the network from approximately January 2015, executed in February 2016: roughly a year of dwell.
- Mission-specific OPSEC discipline degrades under operational time pressure — the Bangladesh Bank operation’s tradecraft errors (typo on “Jupiter” routing, printer-disabling mechanism partially failing, RCBC casino laundering chain) materially aided downstream attribution.
- Laundering infrastructure — Casino-based money-laundering chains (RCBC / Solaire / Eastern Hawaii Leisure, Philippines 2016), and in the crypto era: mixers (notably Tornado Cash, now sanctioned), cross-chain bridges, and OTC brokers including Hong Kong-based facilitators sanctioned by Treasury (multiple 2023–2024 actions).
- Initial access via spear-phishing of bank and exchange employees, watering-hole compromise of finance-industry sites, and shared use of Lazarus Group “Dream Job” LinkedIn lures (notably the Ronin attack vector).
Major Operations (table)
| Date | Operation | Impact | Confidence |
|---|---|---|---|
| Dec 2015 | Banco del Austro (Ecuador), TPBank (Vietnam) attempts | Early SWIFT-fraud attempts; ~$12M and aborted ~$1.36M respectively | High (Mandiant, victim disclosure) |
| Feb 2016 | Bangladesh Bank heist | $81M successfully transferred of $851M attempted; $850M payments blocked or recovered. Laundered through Philippine RCBC and casinos | High (DOJ 2021 indictment, Mandiant, BAE) |
| Oct 2017 | Far Eastern International Bank, Taiwan | ~$60M attempted; most recovered | High (Mandiant) |
| Jan 2018 | Bancomext, Mexico | Attempted SWIFT fraud; defended | High (Mandiant) |
| May 2018 | Banco de Chile MBR-Killer | Wiper used as decoy for ~$10M SWIFT fraud | High (Mandiant, victim disclosure) |
| Aug 2018 | Cosmos Bank, India | ATM cash-out ( | High (CISA FASTCash advisory) |
| 2018–onwards | FASTCash ATM operations (CISA AA18-275A) | Switch-application compromise enabling fraudulent ATM withdrawals across multiple countries | High (CISA, FBI) |
| Sept 2019 | OFAC designation (sm774) | Bluenoroff sanctioned alongside Lazarus and Andariel | High (Treasury) |
| Feb 2021 | DOJ indictment — Jon Chang Hyok, Kim Il, Park Jin Hyok | Aggregate $1.3B scheme | High (DOJ) |
| 2020–2022 | AppleJeus campaigns (multiple) | Trojanised crypto trading apps; cross-platform; retail and institutional victims | High (CISA AA21-048A, Kaspersky) |
| Apr 2022 | CISA AA22-108A — TraderTraitor | Public advisory on DPRK trojanised crypto apps; aligns to Bluenoroff financial-crime mission | High (CISA, FBI, Treasury) |
| Mar 2022 | Ronin Bridge (Axie Infinity), ~$620M | Attributed by Treasury to Lazarus broadly; on-chain forensics consistent with Bluenoroff-cluster activity | High (Treasury, Chainalysis) |
| Jun 2022 | Harmony Horizon Bridge, ~$100M | DPRK on-chain attribution; consistent with Bluenoroff cluster | High (Chainalysis, Elliptic) |
| Jun 2023 | Atomic Wallet, ~$100M | Retail-wallet compromise; DPRK on-chain attribution | High (Elliptic, Chainalysis) |
| Sept 2023 | Stake.com, ~$41M | DPRK on-chain attribution; FBI public statement | High (FBI, Chainalysis) |
| Feb 2025 | Bybit theft, ~$1.5B | Largest crypto theft on record at the time; FBI attribution within days; on-chain forensics consistent with Bluenoroff / TraderTraitor activity set | High (FBI, Chainalysis, TRM Labs) |
Attribution Basis
APT38 / Bluenoroff attribution rests on the following evidentiary layers:
- Mandiant, “APT38: Un-usual Suspects” (October 2018) — the foundational analytic separation from broader Lazarus, based on distinct malware families (EVTDIAG, MSOUTC, MSDELETE), unique victimology (SWIFT-connected banks), and operational tempo that diverged from Lazarus-core operations on the same infrastructure.
- U.S. DOJ indictment of Park Jin Hyok (September 6, 2018) — Bangladesh Bank operation forms a core count, linking the operator to the Chosun Expo Joint Venture cover entity and DPRK origin.
- U.S. DOJ indictment of Jon Chang Hyok, Kim Il, and Park Jin Hyok (February 17, 2021) — names three named DPRK programmers as members of an RGB unit (identified as Bureau / Lab 110), aggregates SWIFT and crypto theft to a $1.3B scheme.
- OFAC designation (September 13, 2019; press release sm774) — formally identifies Bluenoroff as RGB sub-entity created to evade sanctions through financial cyber theft.
- CISA / FBI / USCYBERCOM joint advisories: AA18-275A (FASTCash), AA21-048A (AppleJeus), AA22-108A (TraderTraitor) — government-attributed technical indicators tracking the financial-crime mission across the SWIFT and crypto eras.
- Kaspersky GReAT — original “Bluenoroff” naming and tooling identification.
- BAE Systems — early Bangladesh Bank forensics including SWIFT-tooling reverse engineering.
- Symantec / Broadcom, Trend Micro, ESET, Group-IB — corroborating technical reporting across major incidents.
- On-chain forensics (Chainalysis, Elliptic, TRM Labs) — deterministic clustering of DPRK theft addresses across Ronin, Harmony, Atomic Wallet, Stake.com, and Bybit, supporting OFAC sanctions and law-enforcement seizures of stolen funds.
Sub-cluster boundary with Lazarus Group core remains analytically fluid: some 2023–2025 cryptocurrency operations are attributed to “Lazarus” broadly by some vendors and to APT38 / Bluenoroff / TraderTraitor specifically by others. The financial-mission targeting profile, however, remains the strongest discriminator.
Geopolitical Context
APT38 is the most consequential expression of the DPRK’s strategic substitution of cyber theft for sanctioned trade. Its trajectory mirrors three structural shifts:
- SWIFT hardening (2017–2019). SWIFT’s Customer Security Programme, the post-Bangladesh reform of correspondent-bank scrutiny, and the rise of cross-border anti-money-laundering coordination compressed APT38’s pre-2020 attack surface. The unit adapted by reallocating its skilled-operator capacity to cryptocurrency.
- The cryptocurrency ecosystem’s structural under-defence (2020–present). DeFi bridges and exchanges concentrated multi-billion-dollar custody under code and key-management practices that, in many cases, fell well short of the operational-security maturity of mid-sized banks. APT38 exploited this gap aggressively. Cumulative DPRK on-chain theft passed $3 billion by 2023 and added at least $1.5B in the single Bybit 2025 event.
- Sanctions-laundering pipeline pressure. Tornado Cash designation (August 2022), recurring OFAC actions against DPRK-linked OTC brokers, and crypto-platform compliance maturation have begun raising APT38’s laundering friction, though the 2025 Bybit incident demonstrates the ceiling remains high.
The unit is the analytic case study for state cyber-criminal hybrids: a regime function executed with the tooling and tradecraft of organised financial crime, against private-sector targets, with proceeds repatriated to fund strategic weapons programmes that themselves contribute to regional instability. See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization and Financial Intelligence.
Gaps
- Internal headcount and operator composition — Public estimates of APT38-specific personnel size are not authoritative; only the broader Lab 110 / Bureau 121 figure (600 – 6,000+) is widely cited, and it covers multiple sub-clusters.
- Cluster boundary with Lazarus core post-2022 — Several recent crypto operations are attributed at the umbrella level rather than the sub-cluster level; tooling overlap with shared macOS toolchains complicates clean delineation.
- Laundering-pipeline reconstitution — Post-Tornado Cash sanctions, the operational shape of APT38’s preferred mixers, bridges, and OTC facilitators is a moving target; the public record lags behind operator adaptation by months.
- Relationship to overseas DPRK IT-worker scheme — CISA AA22-108A established IT workers as a parallel revenue stream, but the extent to which IT-worker personas double as APT38 initial-access vectors is incompletely mapped.
- Crypto operation tasking chain — Whether large-scale operations like Ronin and Bybit are approved at bureau level or higher (and on what cadence) is reconstructed indirectly from defector accounts.
Strategic Implications
For defensive posture across the financial and cryptocurrency sectors:
- Crypto exchanges and bridges are state-targeted critical infrastructure. The threat model for a multi-billion-dollar custody platform must include APT38-class adversaries with multi-month pre-positioning, supply-chain compromise capability, and engineer-targeted social engineering. Operational-security maturity comparable to a global systemically important bank is the floor, not the ceiling.
- SWIFT-era lessons remain valid against AML-mature institutions. Mid-tier banks in jurisdictions with weaker SWIFT-CSP adoption remain attractive APT38 targets if the crypto-pipeline closes. The defensive bar of message-validation diversity, terminal hardening, paper-trail reconciliation, and printer/log integrity remains worth maintaining.
- Laundering-side interdiction is the highest-leverage policy tool. Stolen-funds recovery and movement-disruption (OFAC actions, mixer designations, cross-chain analytics) impose more durable costs on APT38 than incident-by-incident defensive hardening alone.
- Sub-cluster attribution matters for response design. Treating an APT38 / TraderTraitor operation as “Lazarus” loses the financial-mission signal — and the analytic specificity needed to prioritise Treasury action over CISA technical action, or vice versa.
Sources (confidence-tagged)
- [High, authoritative] Mandiant, “APT38: Un-usual Suspects”, October 2018. Foundational separation of the financial-crime sub-cluster from broader Lazarus Group.
- [High, authoritative] U.S. Department of Justice, Indictment of Park Jin Hyok, September 6, 2018. Bangladesh Bank operation; Chosun Expo cover.
- [High, authoritative] U.S. Department of Justice, Indictment of Jon Chang Hyok, Kim Il, Park Jin Hyok, February 17, 2021. $1.3B aggregate including SWIFT and crypto.
- [High, authoritative] U.S. Treasury / OFAC Press Release sm774, September 13, 2019. Designates Bluenoroff alongside Lazarus and Andariel.
- [High, authoritative] CISA / FBI advisories: AA18-275A (FASTCash), AA21-048A (AppleJeus), AA22-108A (TraderTraitor), and successor crypto-focused advisories.
- [High] Kaspersky GReAT — origination of the Bluenoroff name; SWIFT-era and AppleJeus tooling analysis.
- [High] BAE Systems — Bangladesh Bank SWIFT-tooling reverse engineering.
- [High] Symantec / Broadcom, Trend Micro, ESET, Group-IB — corroborating technical reporting.
- [High] Chainalysis Crypto Crime Report (2022–2025); TRM Labs and Elliptic on-chain forensics on Ronin, Harmony, Atomic Wallet, Stake.com, Bybit.
- [High] FBI public attribution statements on Stake.com (2023) and Bybit (2025).
- [Medium] UN Panel of Experts on DPRK reports through 2024; quantification of cumulative cyber theft.
- [Reference] MITRE ATT&CK Group G0082 (APT38).