Wiz
All articlesThreat Intel

What is APT38?

Wiz Experts Team
Cloud Threat Landscape: Threat ActorsWatch 5-min demo
Key takeaways about APT38:

  • APT38 is a North Korean state-sponsored threat group that specializes in financially motivated attacks against banks, cryptocurrency exchanges, and financial infrastructure, distinguishing it from espionage-focused nation-state actors.

  • The group has evolved from targeting traditional SWIFT banking networks to attacking cryptocurrency platforms, with high-profile thefts (including the Harmony Horizon Bridge) demonstrating the scale of crypto-focused operations linked to North Korean actors.

  • APT38's operational patience sets it apart from other threat actors: the group often dwells in victim networks for months, conducting reconnaissance and positioning for maximum financial extraction before executing theft and destroying evidence.

  • Detection requires correlating signals across cloud logs, identity systems, and runtime execution because APT38 uses legitimate tools and anti-forensic techniques that evade traditional endpoint detection.

What is APT38?

APT38 is a North Korean state-sponsored threat group that conducts financially motivated cyberattacks against banks, cryptocurrency exchanges, and financial institutions worldwide. While most advanced persistent threats (APTs) focus on espionage or intellectual property theft, APT38 operates with the specific goal of stealing funds. This distinction is critical because their tactics align more closely with high-end bank heists than traditional intelligence gathering operations.

This financial mandate drives them to target high-value infrastructure where large sums can be moved quickly. Their targets have shifted over time from traditional SWIFT banking terminals to modern blockchain bridges and decentralized finance (DeFi) platforms.

Mandiant designated APT38 as a separate entity from the broader Lazarus Group due to its distinct financial focus, unique tooling, and specialized operational patterns targeting SWIFT banking infrastructure. The group has been active since at least 2014, initially compromising banks in Southeast Asia and Africa before expanding globally. Their ability to navigate complex financial networks indicates a deep understanding of banking protocols and transaction workflows.

Security teams must recognize that this adversary is well-resourced, patient, and willing to destroy victim environments to cover their tracks. Understanding their specific motivations helps defenders prioritize the protection of payment gateways, crypto wallets, and transaction authorization systems.

Click to view the Cloud Threat Landscape

APT38's relationship to Lazarus Group and North Korean threat actors

Security researchers often use "Lazarus Group" as an umbrella term for multiple North Korean-linked operations, and APT38 is commonly described as a financially focused cluster that is related to (and sometimes discussed alongside) Lazarus tracking. This taxonomy helps practitioners distinguish between different mission objectives originating from the same state sponsor. While the groups may share malware families or infrastructure, their operational goals and targets differ significantly.

The organizational structure generally divides responsibilities: APT38 handles bank heists and cryptocurrency theft, while other sub-groups focus on different priorities. BlueNorOff (also known as Sapphire Sleet) is often cited as a specific subgroup or close affiliate focused on cryptocurrency targeting. Meanwhile, groups like Andariel typically conduct espionage operations against defense and political targets.

Various security vendors use different aliases to track these activities.

AliasVendor
APT38Mandiant: financial ops
BlueNorOff/Sapphire SleetMicrosoft designation for crypto-focused subset
Stardust ChollimaCrowdStrike designation
NICKEL GLADSTONESecureworks designation

Public reporting may attribute the same incidents to different names depending on vendor taxonomy. For example, a CrowdStrike report on "Stardust Chollima" and a Mandiant report on "APT38" may describe overlapping activity. Defenders should focus on TTPs, techniques, and infrastructure indicators rather than relying solely on group labels. When investigating potential APT38 activity, search across all known aliases and cross-reference MITRE ATT&CK techniques to ensure comprehensive threat intelligence coverage.

This distinction matters for practitioners because different sub-groups use different tactics, techniques, and procedures (TTPs). A detection rule designed for Andariel's espionage tools might not catch APT38's financial manipulation scripts. Security teams should reference MITRE ATT&CK Group G0082 to review techniques publicly attributed to this cluster and related activity.

Major APT38 campaigns and attributed attacks

North Korean-linked operators have conducted dozens of confirmed operations across multiple continents, including extremely large cryptocurrency thefts such as the $1.5 billion Bybit incident described by the FBI.

The following table highlights some of the major attacks attributed to the group:

CampaignYearTargetOutcome
Bangladesh Bank2016Central bank SWIFT network$81M stolen (attempted $951M)
Far Eastern International Bank2017Taiwan bank SWIFT network$60M stolen, partially recovered
Banco de Chile2018Bank SWIFT network$10M stolen
Harmony Horizon Bridge2022Cryptocurrency bridge$100M stolen
Axie Infinity/Ronin Bridge2022Gaming cryptocurrency bridge$620M stolen

The FBI has publicly attributed multiple cryptocurrency thefts to APT38 and the Lazarus Group, confirming their role in these massive losses. These represent only publicly confirmed operations; the actual scope of their activity is likely larger, as many compromises may go unreported or misattributed.

How Wiz helps defend against threat actors

Wiz Defend provides runtime detection for suspicious process execution and fileless-like techniques across cloud workloads, helping teams investigate behavior that blends into legitimate admin activity. By monitoring for anomalies in real-time, security teams can detect the subtle signs of "living off the land" tactics that traditional signature-based tools miss.

The Threat Center surfaces threat intelligence, enabling security teams to immediately assess exposure to emerging campaigns. When a new vulnerability is linked to threat actors, teams can instantly see which assets are exposed and prioritize remediation. Automated investigation capabilities correlate cloud events with runtime signals to build attack timelines without manual pivoting across disconnected log sources, countering the group's attempts to hide their tracks.

Wiz's identity risk analysis detects the credential theft, privilege escalation, and unusual access patterns that characterize lateral movement. Attack path analysis visualizes how initial access vectors connect to sensitive financial systems, allowing teams to proactively harden these paths before an attack occurs.

Schedule a demo to see how Wiz connects cloud posture, identity risk, and runtime signals into prioritized attack paths, so teams can focus on the exposures that actually enable theft.

Detect active cloud threats

Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.

For information about how Wiz handles your personal data, please see our Privacy Policy.