North Korean hackers launder $300m from historic $1.5b byBit crypto heist

The Lazarus Group, a North Korean hacker collective, has successfully laundered at least $300 million from its record-breaking $1.5 billion cryptocurrency heist against the ByBit exchange. The cyberattack, executed two weeks ago, is one of the largest crypto thefts in history.

Investigators revealed that the hackers breached a ByBit supplier on February 21, secretly modifying a digital wallet address to divert 401,000 Ethereum coins. Unaware of the breach, ByBit transferred the funds to the attackers instead of its own wallet.

Since then, cybersecurity firms and law enforcement agencies have been racing to trace and recover the stolen assets.

Dr. Tom Robinson, co-founder of crypto analytics firm Elliptic, highlighted the complexity of the laundering process. “Every minute matters for the hackers who are trying to confuse the money trail,” he said. “They are extremely sophisticated in what they’re doing.” Robinson noted that Lazarus Group likely operates in shifts, using automated tools to quickly convert the stolen crypto into cash.

Elliptic’s analysis aligns with ByBit’s findings, which indicate that 20% of the stolen funds—approximately $300 million—have already “gone dark,” making recovery unlikely.

The U.S. and its allies have long accused North Korea of using cybercrime to fund its military and nuclear programs. Dr. Dorit Dor of cybersecurity firm Check Point emphasized the regime’s approach to cyberattacks: “North Korea is a very closed system and closed economy, so they created a successful industry for hacking and laundering. They don’t care about the negative impression of cybercrime.”

ByBit CEO Ben Zhou has assured customers that their funds remain secure, with the company replenishing the stolen assets through loans from investors. However, he has vowed to fight back against Lazarus Group, launching a bounty program to track and freeze the stolen funds.

The Lazarus Bounty initiative encourages public participation in identifying suspicious transactions. So far, 20 individuals have earned over $4 million in rewards for helping freeze $40 million of the stolen assets.

Despite these efforts, cybersecurity experts remain skeptical about recovering the remaining funds due to Lazarus Group’s advanced laundering techniques. A major obstacle is inconsistent cooperation among cryptocurrency exchanges. ByBit has accused the exchange eXch of enabling cash-outs totaling more than $90 million.

eXch’s owner, Johann Roberts, initially denied involvement, arguing there was no clear evidence linking the funds to the hack. He now claims his company is cooperating but insists that strict identity verification policies undermine the core principle of cryptocurrency privacy.

A Growing Cybercrime Empire

Lazarus Group, which previously targeted traditional financial institutions, has shifted its focus to cryptocurrency platforms, exploiting their often weaker security measures. The group’s recent exploits highlight North Korea’s expanding cyber capabilities:

$1.5 billion stolen in the ByBit heist—the largest crypto theft to date.

$308 million stolen from a Japanese crypto platform.

$1.34 billion stolen across multiple crypto attacks in 2024 alone.

Increased use of AI-driven phishing and social engineering tactics.

Advanced laundering methods using decentralized exchanges and cross-chain bridges.

Overseas IT operatives assisting cybercrime operations.

Reuse of wallets from past attacks, confirming ongoing activities.

Stolen funds reportedly funneled into North Korea’s missile and nuclear programs.

A trend toward larger heists exceeding $100 million.

North Korea accounting for 35% of all stolen cryptocurrency funds globally in 2024.

As investigators work to track and freeze the stolen assets, this heist serves as yet another stark reminder of North Korea’s growing dominance in cybercrime and cryptocurrency laundering.