North Korea’s Lazarus Group Just Stole $577M in Crypto With Malware That Lives Only in RAM — And You’d Never Know It Was There
Table of Contents
The Invisible Heist: $577M in 4 Months
North Korea’s Lazarus Group has stolen $577 million in cryptocurrency in just the first four months of 2026. And the weapon they used to do it is a piece of malware so sophisticated that it never touches your hard drive — it lives entirely in your computer’s RAM, executes its mission, and vanishes without a trace when you restart.
The malware is called RemotePE, and cybersecurity researchers at Fox-IT have just published a detailed analysis of how it works. What they found should terrify every financial institution, every cryptocurrency exchange, and every developer who’s ever accepted a meeting request from a stranger on Telegram.
What Is RemotePE — The Malware That Doesn’t Exist on Disk
RemotePE is a full-featured remote access trojan (RAT) written in C++ that operates entirely in memory. Unlike traditional malware that writes files to disk, creates registry entries, or leaves other forensic artifacts, RemotePE loads its payload directly into RAM and executes from there.
The technical chain involves two loaders: DPAPILoader and RemotePELoader. DPAPILoader uses Windows’ own Data Protection API (DPAPI) to decrypt the next stage — meaning the malware leverages your operating system’s own security infrastructure against you. RemotePELoader then loads the final RAT payload into memory, where it establishes communication with command-and-control servers and waits for instructions.
When you shut down your computer, RemotePE is gone. No files on disk. No registry changes. No artifacts for forensic investigators to find. The only evidence it existed is in volatile memory — which is erased the moment power is cut.
The Attack Chain: From Telegram to Total Compromise
The entry point is devastatingly simple: social engineering via Telegram.
Lazarus operatives approach employees at cryptocurrency companies and financial institutions by impersonating colleagues or business contacts. They send professional messages, reference real projects, and eventually suggest scheduling a meeting through what appears to be Calendly or Picktime — but the scheduling links point to convincing fake domains.
When the victim clicks the fake scheduling link, the initial payload is delivered. From there, DPAPILoader takes over, decrypting and loading RemotePELoader, which in turn loads the full RemotePE RAT into memory.
The entire infection happens in seconds. No suspicious downloads. No security warnings. Just a meeting invitation that looked perfectly legitimate.
This social engineering approach is consistent with the broader trend of AI-assisted attacks documented in the 2026 Mandiant M-Trends report, where threat actors are becoming increasingly sophisticated in their initial access techniques.
Why Memory-Only Malware Is Terrifying for Defenders
Traditional antivirus and endpoint detection systems are designed to catch malware by scanning files on disk. They look for known signatures, suspicious file behaviors, and unusual registry modifications. RemotePE bypasses all of this because there’s nothing on disk to scan.
The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns. Lazarus doesn’t just steal credentials and run — they watch. They learn trading patterns. They identify high-value wallets. They wait for the perfect moment to execute a transfer.
This patience is what makes the $577 million figure so staggering. Each theft is carefully planned, executed when conditions are optimal, and designed to maximize the take while minimizing the chance of detection.
North Korea’s Crypto War Chest: 76% of All 2026 Hacks
The scale of North Korea’s cryptocurrency theft operation has reached truly alarming proportions. According to TRM Labs, the percentage of crypto hacks attributable to North Korea has risen from single digits in previous years to 64% in 2025 and a staggering 76% in 2026.
That means more than three out of every four cryptocurrency theft incidents this year can be traced back to North Korean state-sponsored hackers. The country has essentially industrialized cryptocurrency theft, turning it into a primary revenue source for its weapons programs and sanctions evasion.
This isn’t a handful of rogue hackers. This is a national strategy. North Korea has deployed thousands of trained cyber operatives whose sole job is to steal cryptocurrency. And with tools like RemotePE, they’re getting better at it every year.
The massive growth in crypto-adjacent companies means there are more targets than ever, and many of them are startups with immature security programs.
The DPAPI Trick That Makes Detection Almost Impossible
One of the most clever aspects of RemotePE is its use of Windows DPAPI (Data Protection Application Programming Interface) for decryption. DPAPI is a legitimate Windows feature used by applications to securely store sensitive data — passwords, certificates, encryption keys. Every Windows system has it. Every security tool trusts it.
By using DPAPI to decrypt its payload, RemotePE’s decryption process looks identical to normal Windows operations. Security tools that monitor for suspicious decryption activity would have to flag every DPAPI call to catch it — which would generate so many false positives that the alerts would be useless.
It’s the digital equivalent of hiding in plain sight. The malware uses your own security infrastructure as camouflage.
Who Is Being Targeted — And How to Know If You’re Next
RemotePE campaigns primarily target employees at cryptocurrency exchanges, DeFi platforms, blockchain companies, and traditional financial institutions with cryptocurrency operations. The victims are typically developers, traders, and operations staff — people with direct access to wallets, trading systems, or infrastructure.
The targeting is precise. Lazarus operatives research their victims thoroughly before making contact. They know which projects you’re working on. They know your colleagues’ names. They know enough about your company to craft convincing pretexts.
If you work in cryptocurrency or finance and you’ve received an unsolicited meeting invitation on Telegram, Signal, or LinkedIn from someone you don’t know personally — particularly someone claiming to represent a trading firm, investment fund, or blockchain project — you may have been targeted.
The Lazarus Playbook: Why Crypto Companies Keep Falling
The cryptocurrency industry has a fundamental security problem: it combines enormous financial value with a culture that prizes speed, openness, and informal communication. Developers accept pull requests from strangers. Traders take meetings with people they’ve never met. Teams communicate primarily through messaging apps with minimal verification.
Lazarus exploits every one of these cultural norms. The fake Calendly links work because people in crypto accept meeting invitations from strangers all the time — it’s how deals get done. The Telegram social engineering works because the industry runs on Telegram.
This is the same rapid-development culture that makes crypto innovation possible. Unfortunately, it also makes crypto theft possible.
Combined with the earlier wave of Big Tech layoffs in 2026, many security professionals who might have caught these attacks have been pushed out of the industry entirely.
How to Protect Yourself
Defending against memory-only malware like RemotePE requires a different approach than traditional security:
Verify every meeting invitation independently. If someone invites you to a meeting via a scheduling link, verify their identity through a separate channel before clicking. Call them. Email them at their known company address. Don’t trust Telegram usernames.
Deploy memory-scanning EDR solutions. Traditional file-based antivirus won’t catch RemotePE. You need endpoint detection that monitors process memory, API calls, and behavioral patterns — not just file signatures.
Monitor for unusual DPAPI activity. While DPAPI calls are normal, unusual patterns — particularly DPAPI decryption followed by process injection — should trigger alerts.
Implement hardware wallet policies. Any cryptocurrency held by your organization should be in hardware wallets with multi-signature requirements. No single employee should be able to authorize large transfers.
Restrict Telegram and messaging app usage on work devices. If your security policy allows employees to accept meeting invitations from strangers on personal messaging apps using work devices, your security policy is the vulnerability.
RemotePE represents the cutting edge of state-sponsored financial cybercrime. It’s invisible, patient, and devastatingly effective. And with North Korea now responsible for 76% of all cryptocurrency thefts, the question isn’t whether your organization will be targeted — it’s whether you’ll be ready when it happens.
