Democratic People's Republic of Korea (DPRK)

Who is The Lazarus Group (The Chollima Collectives)?

The Lazarus Group (often tracked as Labyrinth Chollima or Diamond Sleet) is the Democratic People's Republic of Korea's (DPRK) primary offensive cyber formation. Unlike NoName057(16), which exists to punish political enemies, the Chollima Collectives exist to fund the state.

They are unique among global threat actors because they function less like a military unit and more like a state-sponsored crime syndicate. Operating under the Reconnaissance General Bureau (RGB), their mission is to steal currency (fiat and crypto) to bypass international sanctions and fund North Korea’s nuclear and missile programs. In early 2026, they formalized a split into specialized sub-units (Golden, Pressure, Labyrinth) to optimize this revenue generation.

The Naming Convention Decoded

While "Lazarus" is a name given by researchers (referencing the biblical figure raised from the dead, symbolizing the group's resilience), their Nationalist Signal is found in the suffix applied by intelligence firms: Chollima.

Chollima: This refers to a mythical "Winged Horse" from East Asian folklore that is too fast to be mounted by any mortal.

The Symbolism: In North Korea, "Chollima" is not just a myth; it is the central symbol of the regime's economic acceleration. The "Chollima Speed" movement was a state-directed drive to rebuild the country after the Korean War.

Why this matters: By tagging these groups as "Chollima," the intelligence community acknowledges that these hackers are the digital engine of the regime's survival. They are expected to move at "Chollima Speed"—delivering rapid, breakthrough results (billions in stolen crypto) to propel the nation forward despite being "blockaded" by sanctions.

Why the confusion?

DPRK attribution is notoriously difficult because they do not care about "branding" the same way Russians do. They care about the cash.

The "Persona" Layer: They frequently invent temporary hacktivist groups to cover their tracks. You might see names like "Guardians of Peace" (used in the Sony Hack) or "Whois Team". These are disposable masks worn by Chollima operators to disguise a heist as a political protest.

The "Split" (2026): As you noted, the monolithic "Lazarus" has fractured.

Labyrinth Chollima: The elite core (Espionage/Destruction).

Pressure Chollima: The "Whale Hunters" (High-value crypto heists).

Golden Chollima: The "Grinders" (Volume targeting of smaller fintech).

Bureau 121: This is the actual military unit name inside the DPRK (specifically the 3rd Bureau of the RGB). "Lazarus" is just what the West calls them.

The "Franchise" Model

DPRK cannot rely on "ideological volunteers" like Russia because their population has no internet access. Instead of a volunteer botnet (DDoSia), they have created the IT Worker Army.

The Mechanism: The regime dispatches thousands of highly trained IT workers to live in "proxy" locations (historically China, Russia, or Southeast Asia).

The Operation: These workers use fake identities to get hired as freelance developers for Western tech companies. They earn legitimate salaries (up to $300k/year) and funnel 90% of it back to the regime.

The Threat: This is their "Franchise." It allows them to scale operations without using elite hackers for everything. These workers often use their insider access to plant backdoors for the elite "Chollima" units to exploit later.