North Korean state-backed hackers have orchestrated the largest cryptocurrency heist in history, stealing $1.5 billion (£1.2 billion) in digital assets.
Security analysts revealed that operatives from Pyongyang infiltrated the systems of Bybit, a Dubai-based cryptocurrency exchange, and successfully stole Ether. This single attack exceeded the total amount stolen by North Korean cyber criminals in 2024, which stood at approximately $1.3 billion, according to cryptocurrency analytics firm Chainalysis. The scale of the theft surpasses even the largest recorded bank heist when Saddam Hussein seized $1 billion from Iraq's central bank in 2003.
The record-breaking theft underscores North Korean leader Kim Jong-un's increasing reliance on elite cyber units to sustain the country’s struggling economy. Chainalysis described the attack as a "stark reminder" of the sophisticated techniques employed by North Korea’s hackers. In addition to technical expertise, these cybercriminals excel at "social engineering"—a method of manipulating individuals through digital communication to gain access to critical systems.
Such tactics often involve cultivating relationships with targets over email and messaging platforms, sometimes over extended periods. Cybersecurity experts suspect that the notorious Lazarus Group masterminded the Bybit attack. This hacking collective has plagued Western businesses for over a decade, inflicting billions in damages through cyber intrusions. Cryptocurrency analysis firm Elliptic has identified Lazarus Group as the "most sophisticated and well-resourced launderer of crypto assets in existence."
Believed to be part of North Korea’s Reconnaissance General Bureau, Lazarus Group has been linked to high-profile cyberattacks, including the 2014 Sony hack, the 2016 Bangladesh Bank heist involving nearly $1 billion, and the global WannaCry ransomware attack, which disrupted hundreds of thousands of computers, including NHS systems.
Initially focused on cyber espionage and intellectual property theft, North Korea has increasingly weaponized its hacking capabilities as a financial tool to circumvent international sanctions. "North Korea started with cyber attacks for espionage, stealing R&D and intellectual property," explained Rafe Pilling of cybersecurity firm Secureworks. "Now, they have fully capitalized on it as a revenue stream."
A Soviet-style emphasis on science and technology has fostered an educational pipeline for future cyber operatives. North Korean prodigies are identified early and groomed through participation in international mathematics and programming competitions.
North Korean hackers remain prolific. In 2024, they were responsible for approximately 61% of the $2.2 billion in cryptocurrency stolen globally, per Chainalysis. With the latest heist, the regime’s cybercriminals have stolen over $6 billion in digital assets over the past decade. These funds provide critical support to North Korea’s embattled economy and military programs, including its ballistic missile development. With an estimated GDP of just $28 billion, North Korea relies heavily on agriculture and trade with its primary ally, China.
While most Lazarus Group members remain unidentified, the U.S. has issued indictments against several North Korean military officials believed to be linked to the group. The hackers employ a variety of tactics, including exploiting "zero-day" vulnerabilities—previously undiscovered security flaws—and posing as remote contractors to infiltrate U.S. companies.
Cryptocurrency analysis firms Arkham Intelligence and Elliptic have traced the Bybit attack to Lazarus Group by following digital wallets used in the heist. Researchers detected links between these wallets and previous North Korean cyberattacks. TRM, another cybersecurity firm, found "substantial overlaps" between addresses controlled by the Bybit hackers and those tied to earlier North Korean thefts.
According to Chainalysis, the attack was meticulously planned and executed. Hackers infiltrated Bybit’s systems through a phishing email that tricked an employee into entering credentials on a compromised website. Once inside, they accessed Bybit’s "cold wallet"—an offline cryptocurrency storage device considered highly secure. When Bybit attempted to transfer funds from the cold wallet to its online systems, the hackers intercepted and rerouted the funds.
Within minutes, the stolen assets were funneled through multiple digital wallets and exchanges to obscure their origin. By rapidly trading them for different cryptocurrencies and utilizing trading platforms with minimal customer verification, the hackers attempted to launder the funds. Despite these efforts, Chainalysis collaborated with exchanges to freeze $40 million of the stolen funds, though the majority remains unaccounted for.
North Korean cybercriminals show no signs of slowing down. Chainalysis warns that their attacks are becoming "better and faster at massive exploits." Cyber expert Rafe Pilling remarked, "North Korea’s cyber capabilities make it a major player, despite being highly isolated in the real world."
Bybit has assured customers that it has "more than enough" assets to cover losses and maintains that the breach was an "isolated incident."
Comments
Post a Comment