North Korea’s state-sponsored hackers continue to show why they are the biggest threats in the crypto theft realm, with the Lazarus hackers now broadly attributed by the cybersecurity community as the perpetrators of the recent theft of $1.5 billion in assets from Bybit.
The Lazarus hackers struck during a routine transfer from a Bybit Ethereum (ETH) Cold Wallet to a Hot Wallet, by way of what the trading platform calls a “sophisticated” smart contract manipulation. Bybit says that it is solvent in the wake of the crypto theft, though it does not expect to recover all of the stolen funds.
Another massive crypto theft for North Korea’s hackers
The total take for the Lazarus hackers was over 400,000 ETH and stETH valued at about $1.5 billion in total. Though the exchange restored its ETH reserve within two days and declared solvency, the public report of the crypto theft triggered a wave of about 580,000 withdrawal requests. Bybit says that it has weathered that bank run (which totalled about another $4 billion in outflow) and remains in good financial shape, with all investments still backed one-to-one with the new infusion of resources. The incident also does not appear to have halted withdrawals at any point, though the exchange says that there have been delays for certain transactions due to volume.
The crypto theft was tied to the Lazarus hackers by security researchers who noticed that the thieves moved funds to an address previously associated with the proceeds of the Phemex robbery. That breach took place just about one month prior and involved about $85 million in a broad variety of asset types. The Lazarus hackers have been linked to both by their choice of money laundering approaches, scattering the stolen funds through a variety of methods: Tornado Cash, the centralized mixer eXch, the “Pump Fun” meme coin and bridging funds to Bitcoin by way of decentralized asset-swapping protocol Chainflip. A number of addresses used in these movements have been previously linked to the North Koreans.
Analytics firm Elliptic has further noted that the Lazarus hackers have distributed about 500,000 ETH evenly across about 50 wallets in an attempt to slow down tracking of the stolen funds, and as of February 24 had laundered about 15% of the proceeds of the crypto theft. Bybit managed to restore operations via an assortment of emergency loans and is offering a 10% reward for return of any of the stolen funds, but says that it has little expectation at this point that anything will be recovered.
Lazarus hackers continue to plague decentralized trading
The Lazarus hackers are no strangers to major crypto thefts, but may have topped their previous personal best and set a new record with the $1.5 billion haul. The prior record, the 2022 theft from Ronin Bridge, was valued at a little less than half of this incident. The Bybit theft was enough to rattle ETH prices, sending the coin tumbling by about 4% in the wake of news of the attack.
Though Bybit continues to investigate the hack and has not named a specific breach method as of yet, the crypto theft has raised questions about the Safe smart wallet’s security. Though there is not yet a firm indication that some sort of flaw in the decentralized custody protocol was involved, Safe temporarily shut down some smart wallet functions out of apparent caution. Bybit has denied that its own computers have been hacked, and CEO Ben Zhou has issued a statement indicating that the company believes the Safe wallet is definitely involved but does not know exactly what the nature of the breach is.
North Korea has at least several state-sponsored hacking teams, comprising a total of thousands of members, and crypto theft is one of their primary missions. A late 2024 report from Chainalysis tallied $1.34 billion in total stolen by them in 2024, with 47 known thefts attributed. That was their prior annual record, but they had crossed the $1 billion mark before in 2022 (driven primarily by the Ronin Bridge theft). If the $1.5 billion number in the Bybit breach holds, that record will be shattered by the end of this year.
The Lazarus hackers have been particularly fond of targeting decentralized platforms and projects, which have struggled to find adequate security solutions to keep them out. However, the primary approach to date has been social engineering rather than looking for vulnerabilities to exploit. The hackers have repeatedly scored by conducting elaborate fake employment offers, to include holding video interviews with insiders at defi platforms who were then somehow convinced to execute a malicious file or provide remote access in some way.
The group has found success with malware, however, as Jared Smith (Distinguished Engineer, R&D Strategy at SecurityScorecard) notes: “Recent research by SecurityScorecard’s STRIKE team revealed direct links between the Lazarus Group and cryptocurrency theft tactics. One key technique observed by the group includes deploying malware that scans for cryptocurrency wallets such as Exodus, Atomic, and MetaMask across Windows, macOS, and Linux, extracting private keys. Additionally, the group exploits vulnerabilities in wallet infrastructure and manipulates transaction processes to steal funds. This attack underscores the persistent threat posed by state-sponsored groups like Lazarus, which have the resources and expertise to conduct highly sophisticated attacks. To defend against such threats, organizations must understand the group’s associated indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Additionally, implementing proactive security measures such as continuous monitoring, supply chain risk management, and incident response planning becomes crucial in enhancing an organization’s security posture to mitigate the risk of compromise.”
