North Korean state-backed hackers, the Lazarus Group, primarily employed spear phishing attacks to steal funds over the last year, with the group receiving the most mentions in post-hack analyses over the last 12 months, according to South Korean cybersecurity company AhnLab.
Spear phishing is one of the most popular methods of attack by bad actors like Lazarus, using fake emails, “disguised as lecture invitations or interview requests,” AhnLab analysts said in the Nov. 26, 2025, Cyber Threat Trends & 2026 Security Outlook report.
The Lazarus Group is the main suspect behind many attacks across many sectors, including crypto, with the hackers suspected to be responsible for the $1.4 billion Bybit hack on Feb. 21 and the more recent $30 million exploit of the South Korean crypto exchange Upbit on Thursday.
How to protect yourself from spear phishing
Spear phishing attacks are a targeted form of phishing where hackers research their intended target to gather information and masquerade as a trusted sender, thereby stealing a victim’s credentials, installing malware, or gaining access to sensitive systems.
Cybersecurity firm Kaspersky recommends the following methods to protect against spear phishing: using a VPN to encrypt all online activity, avoiding the sharing of excessive personal details online, verifying the source of an email or communication through an alternative channel, and, where possible, enabling multifactor or biometric authentication.
‘Multi-layered defense’ needed to combat bad actors
The Lazarus Group has targeted the crypto space, finance, IT and defense, according to AhnLab, and was also the most frequently mentioned group in after-hack analysis between October 2024 and September 2025 this year, with 31 disclosures.
Fellow North Korean-linked hacker outfit Kimsuky was next with 27 disclosures, followed by TA-RedAnt with 17.
AhnLab said a “multi-layered defense system is essential” for companies hoping to curb attacks, such as regular security audits, keeping software up to date with the latest patches and education for staff members on various attack vectors.
Related: CZ’s Google account targeted by ‘government-backed’ hackers
Meanwhile, the cybersecurity company recommends individuals adopt multifactor authentication, keep all security software up to date, avoid running unverified URLs and attachments, and only download content from verified official channels.
AI will make bad actors more effective
Going into 2026, AhnLab warned that new technologies, such as artificial intelligence, will only make bad actors more efficient and their attacks more sophisticated.
Attackers are already capable of using AI to create phishing websites and emails that are difficult to distinguish with the naked eye, AhnLab said, but AI can “produce various modified codes to evade detection,” and make spear phishing more efficient through deepfakes.
“With the recent increase in the use of AI models, deepfake attacks, such as those that steal prompt data, are expected to evolve to a level that makes it difficult for victims to identify them. Particular attention will be required to prevent leaks and to secure data to prevent them.”
Magazine: 2026 is the year of pragmatic privacy in crypto: Canton, Zcash and more