Hackers believed to be working for North Korea’s regime have successfully laundered at least $300 million of the $1.5 billion stolen in a record-breaking cryptocurrency heist targeting ByBit, a Dubai-based exchange. The Lazarus Group, a notorious state-sponsored hacking team, executed the attack on February 21, 2025, using sophisticated techniques to reroute 401,000 Ethereum coins intended for ByBit’s wallets.
The Heist and Its Aftermath
The attack began with a supply chain breach at Safe{Wallet}, a multisignature wallet provider used by ByBit. Hackers compromised a developer’s machine at Safe{Wallet}, injecting malicious JavaScript that altered wallet addresses during routine transfers. This allowed Lazarus to intercept and redirect the funds to their own wallets without detection. Within hours, the stolen assets were dispersed through thousands of blockchain addresses and converted into Ethereum via decentralized exchanges.
ByBit CEO Ben Zhou assured customers that their funds remained secure, as the company replenished the stolen amount through investor loans. However, Zhou declared “war on Lazarus,” launching an aggressive bounty program to trace and freeze the stolen funds.
A Cat-and-Mouse Game
Tracking the stolen funds has proven challenging. Blockchain investigators like Elliptic and ZachXBT have identified laundering patterns involving decentralized exchanges, cross-chain bridges, and mixers. Despite these efforts, around 20% of the funds—approximately $300 million—have “gone dark,” making recovery unlikely.
Dr. Tom Robinson of Elliptic noted that North Korea has developed unparalleled expertise in laundering cryptocurrency, likely employing teams working in shifts around the clock. Their methods include converting secondary tokens into native ones like Ethereum and obfuscating transactions across multiple blockchains.
The Role of Crypto Exchanges
While many exchanges have cooperated with ByBit to freeze suspicious transactions, others have faced criticism. The crypto platform eXch reportedly allowed over $90 million of stolen funds to be laundered before cooperating with investigators. eXch’s owner, Johann Roberts, initially cited uncertainty about the origin of the funds due to an ongoing dispute with ByBit but later pledged cooperation.
North Korea’s Cybercrime Strategy
The Lazarus Group has become infamous for targeting financial institutions and cryptocurrency platforms to fund North Korea’s military and nuclear programs. Since 2017, they have reportedly stolen over $6 billion in crypto assets. Notable attacks attributed to Lazarus include:
- The 2019 UpBit hack ($41 million)
- The 2020 KuCoin breach ($275 million)
- The 2022 Ronin Bridge attack ($600 million)
- The 2023 Atomic Wallet exploit ($100 million)
Experts attribute Lazarus’ success to cryptocurrency’s relative lack of regulation compared to traditional financial systems. While multi-signature wallets and public blockchains offer some security, they remain vulnerable to highly coordinated attacks.
Limited Recovery Prospects
Despite ByBit’s bounty program—which has rewarded participants with over $4 million for identifying $40 million in stolen funds—experts remain pessimistic about recovering the majority of the assets. Dr. Dorit Dor from Check Point emphasized North Korea’s closed economy and disregard for international norms as key factors enabling their cybercrime operations.
The FBI has confirmed Lazarus’ involvement in this heist and continues to monitor their activities. However, apprehending group members remains unlikely unless they leave North Korea.
This heist underscores the vulnerabilities in cryptocurrency infrastructure and highlights the need for stronger safeguards against increasingly sophisticated cybercriminals.