North Korea’s state-sponsored Lazarus Group relied primarily on spear phishing to steal funds over the past year, according to South Korean cybersecurity firm AhnLab. The group appeared more frequently than any other threat actor in post-incident analyses conducted over the past 12 months.
Spear phishing remains one of Lazarus’ preferred attack methods, with hackers sending fraudulent emails “disguised as lecture invitations or interview requests,” AhnLab noted in its Cyber Threat Trends & 2026 Security Outlook report published on Nov. 26, 2025.
The Lazarus Group is suspected in a wide range of attacks across multiple industries—including cryptocurrency—where it has been linked to the $1.4 billion Bybit breach on Feb. 21 and, more recently, a $30 million exploit targeting South Korean exchange Upbit on Thursday.
How to protect yourself from spear phishing
Spear phishing is a highly targeted form of phishing in which attackers gather detailed information about a victim and impersonate a trusted sender to steal login credentials, deploy malware, or gain access to critical systems.
Cybersecurity firm Kaspersky advises several precautions: use a VPN to protect online activity, limit the amount of personal information shared publicly, verify the source of suspicious emails through another communication channel, and enable multifactor or biometric authentication wherever possible.
A “multi-layered defense” is essential
AhnLab reports that Lazarus has targeted the crypto sector, finance, IT, and defense. Between October 2024 and September 2025, the group appeared the most frequently in post-hack analysis, with 31 disclosures. Other North Korean–linked groups followed, including Kimsuky with 27 disclosures and TA-RedAnt with 17.
According to AhnLab, organizations need a “multi-layered defense system,” including regular security audits, timely software patching, and employee training on common attack methods. For individuals, the firm recommends enabling multifactor authentication, keeping security tools updated, avoiding unknown links and attachments, and downloading software only from trusted sources.
AI is making attackers more dangerous
Looking ahead to 2026, AhnLab warns that emerging technologies—especially artificial intelligence—will enable more advanced and efficient cyberattacks. Threat actors are already using AI to craft convincing phishing websites and emails, generate code designed to evade detection, and create deepfakes that enhance spear-phishing campaigns.
“With the recent increase in the use of AI models, deepfake attacks, such as those that steal prompt data, are expected to evolve to a level that makes it difficult for victims to identify them. Particular attention will be required to prevent leaks and to secure data to prevent them.”
