North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack

Hackers believed to be working for the North Korean regime have successfully cashed out at least $300 million (£232 million) of cryptocurrency stolen in heists totaling a record $1.5 billion. This criminal group, known as the "Lazarus Group," stole a large amount of digital tokens two weeks ago by attacking the cryptocurrency exchange ByBit. Since then, tracking and preventing the hackers from successfully converting the cryptocurrency into usable cash has become a cat-and-mouse game.

Experts say this notorious hacking team works almost around the clock, potentially funneling the funds into the North Korean regime's military development projects. Dr. Tom Robinson, co-founder of cryptocurrency investigation firm Elliptic, stated, "Every minute is crucial for hackers trying to obfuscate the flow of funds, and they are extremely sophisticated in what they do." Among all actors involved in cryptocurrency crime, North Korea is the most adept at money laundering.

Dr. Robinson added, "I suspect they have a dedicated team that uses automated tools and years of experience to get the job done. From their activity, we can also see that they only rest for a few hours each day, possibly working in shifts, to turn cryptocurrency into cash." Elliptic's analysis aligns with ByBit's claim that 20% of the funds have already "disappeared," meaning they are almost impossible to recover.

The United States and its allies have accused North Korea of carrying out dozens of hacking attacks in recent years to fund the regime's military and nuclear development. On February 21, criminals hacked into a ByBit supplier and secretly changed the sending address for 401,000 Ethereum cryptocurrencies. ByBit thought it was transferring funds to its own digital wallet, but in reality, it sent them all to the hackers. ByBit's CEO, Ben Zhou, assured customers that their funds had not been stolen.

The company has since replenished the stolen tokens through investor loans, but as Zhou stated, they are "declaring war on Lazarus." ByBit's "Lazarus Bounty Program" encourages the public to track the stolen funds and freeze them where possible. All cryptocurrency transactions are displayed on a public blockchain, so the movement of funds by the Lazarus Group can be tracked. If the hackers try to use mainstream cryptocurrency services to convert the tokens into ordinary currencies like US dollars, the company can freeze the tokens if it believes they are linked to crime.

So far, more than $4 million in rewards have been shared by 20 people for successfully identifying $40 million worth of stolen funds and alerting cryptocurrency companies to block the transfers. However, given North Korea's expertise in hacking and money laundering, experts are pessimistic about the possibility of recovering the remaining funds. Dr. Dorit Dor, a cybersecurity expert at Check Point, stated, "North Korea is a very closed system and a closed economy, so they have created a successful hacking and money laundering industry, and they don't care about the negative image that cybercrime brings."

Another problem is that not all cryptocurrency companies are as willing to help as others. ByBit and other companies have accused the cryptocurrency exchange eXch of failing to prevent the criminals from cashing out. More than $90 million has been successfully transferred through the exchange. However, Johann Roberts, the mysterious owner of eXch, disputed this via email. He admitted that they initially did not block the funds because his company had a long-standing dispute with ByBit, and he said his team was unsure whether the tokens actually came from a hacking attack. He says he is now cooperating but believes that mainstream companies that identify cryptocurrency customers have betrayed the privacy and anonymity interests of cryptocurrency.

North Korea has never admitted to involvement in the Lazarus Group but is considered the only country in the world that uses its hacking power for economic gain. Previously, the Lazarus Group targeted banks, but in the past five years, they have specifically targeted cryptocurrency companies. The industry has weaker protections and fewer mechanisms to prevent them from laundering money. Recent hacking attacks linked to North Korea include: the $41 million hack of UpBit in 2019, the theft of $275 million in cryptocurrency from the exchange KuCoin (most of which has been recovered), the Ronin Bridge attack in 2022, in which hackers stole $600 million worth of cryptocurrency, and the attack on Atomic Wallet in 2023, in which approximately $100 million in cryptocurrency was stolen.

In 2020, the United States added suspected North Koreans involved in the Lazarus Group to its list of "cyber's most wanted." However, unless these individuals leave their country, the chances of them being arrested are extremely slim.