Hackers linked to North Korea have successfully laundered at least $300 million from a record-breaking $1.5 billion cryptocurrency heist targeting ByBit, a prominent crypto exchange, according to blockchain analysts.
The cybercriminals, identified as the notorious Lazarus Group, infiltrated ByBit two weeks ago in what has been described as one of the largest cryptocurrency thefts in history. The group, which has long been accused of conducting cyberattacks to fund Pyongyang’s military and nuclear ambitions, has been relentlessly working to move the stolen assets beyond the reach of law enforcement agencies.
Investigators and cybersecurity firms have been tracking the movement of the stolen digital assets in an effort to block their conversion into fiat currency. However, experts warn that the chances of recovering the full amount remain slim.
"Every minute counts for these hackers, who are highly sophisticated in obfuscating the money trail," said Dr Tom Robinson, co-founder of blockchain intelligence firm Elliptic. "They operate with extreme efficiency, likely working in shifts, and use advanced automated tools to launder the funds."
Despite ongoing efforts to freeze the stolen assets, ByBit has acknowledged that nearly 20 per cent of the stolen funds—amounting to around $300m—have already "gone dark," making recovery highly unlikely.
ByBit responds with ‘war on Lazarus’
ByBit’s CEO, Ben Zhou, has assured customers that their funds remain secure, as the company has replenished the stolen amount through loans from investors. "We are waging war on Lazarus," Zhou declared, announcing a bounty programme to incentivise individuals and firms to track and freeze the stolen crypto.
So far, the initiative has paid out $4m in rewards to 20 individuals who helped identify and block $40m worth of stolen funds. However, authorities remain pessimistic about retrieving the majority of the loot.
North Korea’s growing cyber threat
The US and its allies have long accused Pyongyang of orchestrating cyberattacks to circumvent international sanctions and finance its weapons programmes. The Lazarus Group, believed to be operating under North Korea’s intelligence apparatus, has become increasingly adept at targeting cryptocurrency platforms due to their relatively weak security frameworks.
"North Korea has effectively built a cybercriminal empire to fund its regime," said Dr Dorit Dor of cybersecurity firm Check Point. "They have no regard for the legal or reputational consequences of their actions."
The Lazarus Group has been linked to a series of high-profile crypto heists in recent years, including:
- A $41m hack on UpBit in 2019
- A $275m attack on KuCoin in 2020 (with most funds recovered)
- The $600m Ronin Bridge hack in 2022
- A $100m theft from Atomic Wallet in 2023
Complicity of vrypto exchanges
One of the biggest hurdles in stopping such cyber heists is the complicity of certain cryptocurrency exchanges. ByBit has accused the crypto exchange eXch of allowing over $90m of the stolen funds to be laundered through its platform.
Johann Roberts, the elusive owner of eXch, initially resisted blocking the funds, citing an ongoing dispute with ByBit and uncertainty over the origins of the crypto. However, he later claimed that his company is now cooperating with investigators.
Despite mounting evidence against North Korean involvement, Pyongyang has consistently denied operating the Lazarus Group. The US government has placed several North Korean hackers on its Cyber Most Wanted list, but given the secretive nature of the regime, the chances of arrests remain remote.
