North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack

Hackers believed to be working for the North Korean regime have successfully cashed out at least $300 million (£232 million) of cryptocurrency from their record $1.5 billion crypto heist. The criminal group, known as the Lazarus Group, stole a large amount of digital tokens in an attack on cryptocurrency exchange ByBit two weeks ago.

Since then, tracking and stopping the hackers from successfully converting the cryptocurrency into usable cash has become a cat-and-mouse game. Experts say the notorious hacking team is working almost around the clock, likely funneling the funds into the regime's military development programs. Dr. Tom Robinson, co-founder of cryptocurrency investigation firm Elliptic, stated, "Every minute counts for hackers trying to obscure the flow of funds, and they are very sophisticated in what they do."

Dr. Robinson stated that among all actors involved in cryptocurrency-related crimes, North Korea is the most adept at laundering cryptocurrency. He said, "I estimate they have a whole room of people using automated tools and years of experience to do this. From their activity, we can also see that they only rest for a few hours each day, possibly working in shifts, to turn cryptocurrency into cash." Elliptic's analysis aligns with ByBit's claims that 20% of the funds have currently "disappeared," meaning they are almost impossible to recover.

The United States and its allies have accused North Korea of carrying out dozens of hacking attacks in recent years to fund the regime's military and nuclear development. On February 21, criminals hacked a ByBit supplier, secretly changing the digital wallet address to which 401,000 Ethereum cryptocurrencies were sent. ByBit thought it was transferring funds to its own digital wallet, but in reality, it sent it all to the hackers.

ByBit's CEO, Ben Zhou, assured customers that their funds were not stolen. The company has since replenished the stolen tokens through investor loans, but, in Zhou's words, they are "waging war on the Lazarus Group." ByBit's "Lazarus Bounty Program" encourages members of the public to track the stolen funds and freeze them where possible. All cryptocurrency transactions are displayed on a public blockchain, so the movement of funds transferred by the Lazarus Group can be tracked.

If hackers try to use mainstream cryptocurrency services to convert tokens into regular currencies like US dollars, they can be frozen if the company believes the cryptocurrencies are linked to crime. So far, 20 people have shared more than $4 million in rewards because they successfully identified $40 million of stolen funds and alerted cryptocurrency companies to block the transfers. However, given North Korea's expertise in hacking and money laundering, experts are not optimistic about the chances of recovering the remaining funds.

Dr. Dorit Dor, of cybersecurity firm Check Point, stated, "North Korea is a very closed system and a closed economy, so they have created a successful hacking and money laundering industry, and they don't care about the negative impression of cybercrime." Another problem is that not all cryptocurrency companies are as willing to help as others. ByBit and other companies have accused cryptocurrency exchange eXch of failing to stop criminals from cashing out funds. Over $90 million has been successfully transferred through the exchange.

But eXch's mysterious owner, Johann Roberts, disputed this via email. He admitted that they did not initially block the funds because his company had a long-standing dispute with ByBit, and he said his team was unsure whether the tokens definitely came from a hack. He says he is now cooperating, but he believes mainstream companies that identify cryptocurrency customers are giving up the private and anonymous advantages of cryptocurrency.

North Korea has never admitted to being associated with the Lazarus Group but is considered the only country in the world that uses its hacking power for economic gain. Previously, the Lazarus Group targeted banks, but in the past five years, they have specifically targeted cryptocurrency companies. The industry has weaker protections and fewer mechanisms to stop them from laundering money. Recent hacking attacks linked to North Korea include: the $41 million hack of UpBit in 2019; the theft of $275 million in cryptocurrency from the exchange KuCoin (most of the funds have been recovered); the 2022 Ronin Bridge attack, in which hackers stole $600 million worth of cryptocurrency; and the 2023 attack on Atomic Wallet, in which approximately $100 million in cryptocurrency was stolen.

In 2020, the United States added North Koreans suspected of involvement in the Lazarus Group to its list of "cyber's most wanted." But unless these individuals leave their country, the chances of them being arrested are extremely slim.