According to TRM Labs, Lazarus-linked thefts reached about $577 million in the first four months of 2026, as the group reportedly used memory-only RemotePE malware and Telegram lures against banks and crypto companies.
Cybersecurity analysts said the Lazarus Group, a cybercrime group believed to be linked to North Korea, is using a fileless remote access trojan called RemotePE to target banks and cryptocurrency companies through Telegram-based social engineering with fake Calendly and Picktime links. The malware runs entirely in memory, limiting forensic evidence and helping it evade detection. In the reported campaign, the group used a three-stage infection chain involving DPAPILoader, a dynamic-link library file known as Iassvc.dll, and RemotePELoader before loading the final RemotePE payload in memory. According to TRM Labs, Lazarus-linked thefts reached about $577 million in the first four months of 2026, accounting for 76% of global crypto theft during that period. The same report said North Korea-linked actors have stolen a cumulative $6 billion since 2017.