North Korea’s Lazarus successfully cashes out $300 million from its $1.5 billion ByBit loot
North Korea’s Lazarus hackers have pulled off another major crypto laundering operation, successfully cashing out $300 million from their record-breaking $1.5 billion heist on crypto exchange ByBit, according to blockchain analytics company Elliptic.
The cybercriminals, working for the North Korean regime, swiped the funds two weeks ago in what has become the single largest crypto hack in history. Despite global efforts to track and freeze the stolen assets, at least 20% of the stolen money has vanished.
The stolen funds are being funneled through an elaborate laundering process, with experts warning that the money is likely funding North Korea’s nuclear and military programs.
Source: Elliptic
Crypto analysts tracking the movements say the hackers are working nonstop, using sophisticated tools to evade detection. “Every minute matters for the hackers who are trying to confuse the money trail, and they are extremely sophisticated in what they’re doing,” said Tom Robinson, co-founder of Elliptic.
ByBit’s security breach allowed Lazarus to hijack funds
The ByBit attack happened on February 21, when Lazarus infiltrated one of ByBit’s suppliers. The hackers secretly changed the destination of a massive 401,000 ETH transfer, making ByBit send the funds straight into their hands instead of its own wallet.
The criminals took advantage of the loophole before the exchange even realized what had happened. ByBit CEO Ben Zhou confirmed that no customer funds were affected, but the company had to replenish the stolen money through investor loans.
$150K worth of stolen assets, now frozen and seized. Source: Elliptic
“We are waging war on Lazarus,” Ben said, announcing a bounty program where people can earn rewards for helping track and freeze the stolen funds.
So far, 20 people have received a total of $4 million in rewards for helping recover $40 million of the stolen crypto. The strategy relies on the fact that all transactions are recorded on a public blockchain, making it possible to trace the movement of the stolen money. But the problem is that Lazarus is too good at laundering crypto.
Lazarus is using crypto exchanges to cash out stolen funds
While ByBit and other exchanges are actively freezing stolen funds, not all crypto companies are cooperating. One exchange, eXch, has been accused of allowing Lazarus to cash out more than $90 million. ByBit and other firms have called out Johann Roberts, the owner of eXch, for not acting fast enough to block the criminals.
Roberts, however, denies the accusations. Over email, he admitted that eXch did not initially freeze the stolen funds, claiming that his company was in a long-standing dispute with ByBit and wasn’t sure the funds were from the hack.
He now says eXch is cooperating, but at the same time, he criticized the push for more regulation, arguing that it compromises the privacy and anonymity of crypto.
The U.S. and its allies blame North Korea for dozens of crypto hacks over the years, using stolen funds to support the country’s sanctions-hit economy.
Lazarus was previously focused on hacking banks, but in the last five years, crypto exchanges have become their primary target. Dr. Dorit Dor, a cybersecurity expert at Check Point, says North Korea has perfected the art of cybercrime.
“North Korea is a very closed system and closed economy, so they created a successful industry for hacking and laundering, and they don’t care about the negative impression of cybercrime,” she said.
The ByBit hack is just the latest in a long list of Lazarus attacks, including the 2019 UpBit hack ($41 million stolen), the 2020 KuCoin hack ($275 million stolen, most recovered), the 2022 Ronin Bridge attack ($600 million stolen), and the 2023 Atomic Wallet breach ($100 million stolen)
The U.S. has added Lazarus members to its Cyber Most Wanted list, but the chances of anyone getting arrested are slim unless they leave North Korea.
Despite international sanctions and law enforcement tracking their every move, Lazarus is still pulling off some of the biggest heists in the world—and cashing out.
