Hackers affiliated with the North Korean regime have successfully cashed out at least $300 million from a staggering $1.5 billion cryptocurrency heist, marking one of the largest cyber thefts in history. The attack, orchestrated by the notorious Lazarus Group, targeted the crypto exchange ByBit two weeks ago, with investigators racing against time to track and block the stolen funds.
The Lazarus Group, known for its sophisticated cyberattacks, allegedly altered a digital wallet address linked to ByBit, rerouting 401,000 Ethereum (ETH) coins to their own accounts. While ByBit initially believed the transfer was internal, the hackers had already gained control of the assets.
Since the theft, the hackers have been working relentlessly to launder the funds, leveraging their advanced money-laundering techniques honed over years of illicit cyber activity. According to Dr. Tom Robinson, co-founder of crypto investigative firm Elliptic, North Korean hackers operate with a near-continuous workflow to obfuscate the money trail.
“Every minute matters for these hackers. They are extremely sophisticated, possibly working in shifts, with entire teams dedicated to converting stolen crypto into usable cash,” Dr. Robinson explained.
ByBit, in an effort to combat the attack, has launched the Lazarus Bounty program, encouraging the public to help track and freeze the stolen funds. The program has already awarded over $4 million in bounties to individuals who have identified and flagged $40 million in stolen assets. Despite these efforts, Elliptic reports that at least 20% of the stolen funds have “gone dark,” making them nearly impossible to recover.
Complicating matters further, not all crypto exchanges are cooperating in freezing stolen funds. ByBit has accused the exchange eXch of allowing more than $90 million to be cashed out by the hackers. While eXch’s owner, Johann Roberts, initially hesitated to intervene due to a long-standing dispute with ByBit, he now claims to be cooperating.
North Korea has never admitted to being behind the Lazarus Group, but experts believe the regime has been systematically using cyberattacks to finance its military and nuclear programs. Previous hacks linked to North Korea include the $275 million theft from KuCoin in 2020, the $600 million Ronin Bridge attack in 2022, and the $100 million Atomic Wallet breach in 2023.
While U.S. authorities have placed Lazarus Group members on their Cyber Most Wanted list, their arrest remains highly unlikely unless they leave North Korea. As cryptocurrency security continues to lag behind traditional banking protections, experts warn that such large-scale heists are likely to persist.
