Crypto News

Inside the Lazarus Heist: How North Korean Hackers Stole $300 Million in Crypto and Evaded Recovery Efforts

March 10, 2025
Smart Money

North Korean Hackers Cash Out $300 Million from Record $1.5 Billion Crypto Heist

By Joe Tidy, Cyber Correspondent, BBC World Service

Hackers believed to be affiliated with North Korea’s state apparatus have successfully laundered approximately $300 million (£232 million) from what is being recognized as one of the largest cryptocurrency heists in history, totaling $1.5 billion. This significant theft occurred in a recent breach of the crypto exchange ByBit, which fell prey to an attack just two weeks ago.

The Lazarus Group’s Sophisticated Operations

The hacking group behind the attack, known as the Lazarus Group, has a notorious reputation for orchestrating high-profile cyber crimes to fund North Korea’s military and nuclear ambitions. Dr. Tom Robinson, co-founder of crypto investigative firm Elliptic, emphasized the urgency and sophistication of the group’s operations, stating that "every minute matters" as they work continuously to obscure the financial trail of the stolen cryptocurrencies.

According to Dr. Robinson, North Korean hackers are unparalleled in their capabilities to launder digital assets. “I imagine they have an entire room of people doing this using automated tools and years of experience,” he noted, estimating that the group operates almost around the clock, taking only brief breaks each day.

The Heist Detail

The hackers gained control of 401,000 Ethereum coins by infiltrating a third-party supplier linked to ByBit on February 21. Believing they were transferring the funds to their own secure wallet, ByBit inadvertently directed the tokens to the hackers. Following this incident, Elliptic reported that 20% of the stolen funds have "gone dark," which decreases the chances of recovery.

ByBit’s CEO, Ben Zhou, has assured customers that their individual funds remain secure, as the company has managed to cover the losses through loans from investors. Zhou indicated that ByBit is "waging war on Lazarus" and has launched the Lazarus Bounty program. This initiative offers rewards to individuals who help trace and freeze the lost funds.

Challenges in Fund Recovery

The transparency of cryptocurrency transactions via public blockchain makes tracking feasible, but recovery remains difficult. The Lazarus Group has shown adeptness in moving funds through various channels, and concerns mount over the complicity of certain exchanges. More than $90 million has reportedly been funneled through the exchange eXch, raising accusations from ByBit about its hesitance to block the hackers’ transactions.

Johann Roberts, the owner of eXch, claimed that his exchange did not initially halt the transactions due to an ongoing dispute with ByBit and uncertainty about the origins of the funds. He asserted that the exchange is now cooperating but criticized major crypto firms for compromising the private and anonymous nature of cryptocurrency transactions.

Unyielding Threat of North Korea

Despite North Korea’s denial of any involvement with the Lazarus Group, evidence suggests that the regime is one of the few governments globally utilizing cyber crime for financial gain. As traditional banking institutions become better fortified against cyber assaults, cryptocurrency exchanges have emerged as more vulnerable targets.

Previously recorded hacks associated with North Korean entities include:

  • The 2019 theft of $41 million from UpBit.
  • The $275 million hack of KuCoin, with most funds later recovered.
  • The infamous $600 million breach of the Ronin Bridge in 2022.
  • A further $100 million stolen from Atomic Wallet in 2023. In response to their escalating cyber activities, the United States has included individuals connected to the Lazarus Group on its Cyber Most Wanted list. However, the likelihood of apprehensions is minimal, particularly as long as these operatives remain within North Korea’s borders.

As the international community grapples with the challenges posed by state-sponsored cyber crime, the developments surrounding the Lazarus Group serve as a stark reminder of the persistent threats facing the cryptocurrency industry.