North Korean Hackers Cash Out $300 Million From Record $1.46 Billion ByBit Crypto Heist

Lazarus Group hackers believed to be affiliated with North Korea’s regime have successfully laundered at least $300 million from their unprecedented $1.5 billion cryptocurrency heist targeting the ByBit exchange.

The cybercriminals, identified as the infamous Lazarus Group, executed the attack two weeks ago, marking one of the largest crypto thefts in history.

The hackers reportedly breached one of ByBit’s suppliers on February 21, secretly altering a digital wallet address to redirect 401,000 Ethereum coins.

ByBit, unaware of the breach, transferred the funds to the attackers instead of its own wallet. Since then, investigators have been racing against time to trace and block the stolen funds.

Dr. Tom Robinson, co-founder of crypto investigation firm Elliptic, described the group’s laundering methods as highly advanced. “Every minute matters for the hackers who are trying to confuse the money trail,” he said.

“They are extremely sophisticated in what they’re doing.” Dr. Robinson added that Lazarus Group likely operates around the clock, using automated tools and working in shifts to convert stolen crypto into cash.

Elliptic’s analysis aligns with ByBit’s findings, which indicate that 20% of the stolen funds approximately $300 million have “gone dark,” meaning they are unlikely to be recovered.

The U.S. and its allies have long accused North Korea of using cyberattacks to fund its military and nuclear programs. Experts believe this latest heist is part of a broader strategy by the regime to generate revenue through cybercrime.

Dr. Dorit Dor from cybersecurity firm Check Point highlighted North Korea’s unique approach: “North Korea is a very closed system and closed economy, so they created a successful industry for hacking and laundering. They don’t care about the negative impression of cybercrime.”

ByBit CEO Ben Zhou has assured customers that their funds remain safe, with the company replenishing the stolen assets through loans from investors. However, Zhou has declared “war on Lazarus,” launching a bounty program to track and freeze the stolen funds.

The Lazarus Bounty program encourages public participation in identifying and blocking suspicious transactions. So far, 20 individuals have earned over $4 million in rewards by helping freeze $40 million of the stolen funds.

Despite these efforts, experts remain skeptical about recovering the remaining assets due to Lazarus Group’s expertise in laundering cryptocurrency.

One obstacle in recovering the funds is inconsistent cooperation among crypto exchanges. ByBit has accused eXch, another exchange, of enabling cash-outs totaling more than $90 million.

eXch’s owner, Johann Roberts, initially denied responsibility, citing a lack of clarity about whether the funds were linked to the hack. Roberts now claims his company is cooperating but argues that strict customer identification policies undermine cryptocurrency’s promise of privacy.

Lazarus Group’s History of Cybercrime

The Lazarus Group has shifted its focus in recent years from traditional banking hacks to targeting cryptocurrency platforms, which often lack robust security mechanisms. Past attacks attributed to the group include:

Top Recent attacks from North korea:

• Here are 10 major North Korea-linked cyberattacks after 2024:
• Hackers stole $1.5 billion in Ethereum in the largest cryptocurrency theft to date.
• $308 million stolen from a Japan-based cryptocurrency platform.
• Over $1.34 billion stolen across multiple crypto heists in 2024 alone.
• Increased use of AI tools for phishing campaigns and social engineering.
• Sophisticated laundering of stolen funds through decentralized exchanges and cross-chain bridges.
• IT professionals relocated abroad to facilitate cyber operations and revenue generation.
• Wallets linked to previous attacks were reused in recent exploits, confirming ongoing operations.
• Stolen funds reportedly used to support missile and nuclear programs.
• A shift toward targeting larger heists exceeding $100 million was observed.
• North Korea accounted for 35% of all stolen cryptocurrency funds globally in 2024.

As investigators continue their efforts to trace and recover funds from this latest heist, it serves as another stark reminder of North Korea’s growing prowess in cybercrime and cryptocurrency laundering.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.