North Korean hackers, believed to be working under the regime’s orders, have successfully converted at least $300 million of stolen cryptocurrency into unrecoverable funds. This amount is part of a record-breaking $1.5 billion crypto heist linked to the Lazarus Group, a cybercrime syndicate infamous for targeting financial institutions and crypto platforms.
The massive hack took place two weeks ago on the ByBit crypto exchange, where the hackers diverted digital tokens from the platform. Since then, security experts have been locked in a cat-and-mouse chase, attempting to block their efforts to cash out the stolen crypto.
North Korea’s Advanced Crypto Laundering Network
Cybersecurity experts believe Lazarus Group operates a highly sophisticated, nearly 24-hour operation to obscure the stolen funds’ origins. Some analysts speculate that the stolen assets could be funneled into North Korea’s military and nuclear programs.
“Every minute counts for the hackers, who are using advanced tactics to obscure the money trail,” explains Dr. Tom Robinson, co-founder of crypto forensics firm Elliptic.
According to Robinson, North Korea is the most skilled cyber actor in laundering stolen crypto.
“I imagine they have an entire team dedicated to this, leveraging automated tools and years of experience,” he adds. “Their operations suggest they only take short breaks each day, likely working in shifts to move and convert the stolen crypto into fiat currency.”
Elliptic’s analysis aligns with ByBit’s own findings. The exchange has confirmed that 20% of the stolen funds have ‘gone dark’, meaning they have likely been laundered and are now beyond recovery.
How Lazarus Group Pulled Off the $1.5 Billion Crypto Heist
The attack on ByBit occurred on February 21, when the hackers compromised one of the exchange’s suppliers. They secretly modified the digital wallet address where 401,000 Ethereum tokens were being sent.
ByBit unknowingly transferred the assets directly to the hackers, believing the funds were moving into its own secure wallet.
ByBit’s Response: A War Against Lazarus Group
ByBit CEO Ben Zhou has assured customers that their personal funds remain safe. The exchange replenished the stolen assets using investor-backed loans and has since launched a bounty program to track and freeze the stolen crypto.
ByBit’s Lazarus Bounty Program encourages the crypto community to help trace and freeze stolen funds. Since all crypto transactions are publicly recorded on the blockchain, the stolen assets remain visible as they are moved between wallets.
If the hackers attempt to convert the stolen tokens into fiat currency through mainstream exchanges, those platforms can freeze the assets upon detecting illicit activity.
So far, more than 20 individuals have participated in the bounty program, successfully identifying $40 million in stolen assets. These efforts have resulted in over $4 million in rewards being paid out.
Despite these efforts, experts remain skeptical about recovering the majority of the funds, given North Korea’s expertise in cybercrime and crypto laundering.
Why North Korea Has Become the World’s Leading Crypto Hacker
Cybersecurity analysts believe North Korea has built a highly organized system for hacking and laundering digital assets.
“North Korea operates a closed economy, so it has developed an industry dedicated to cyber theft and money laundering,” says Dr. Dorit Dor, an expert at cybersecurity firm Check Point.
Adding to the challenge, not all crypto exchanges are willing to cooperate in freezing illicit funds.
One exchange, eXch, has come under scrutiny for allegedly allowing over $90 million of the stolen ByBit funds to be cashed out.
ByBit and other firms have accused eXch’s owner, Johann Roberts, of failing to act when initially alerted about the stolen funds.
Roberts, however, denies these claims, stating that his firm was in a long-standing dispute with ByBit and initially had doubts about the legitimacy of the flagged transactions.
While North Korea has never officially acknowledged its involvement in Lazarus Group, evidence strongly suggests that it is the only nation-state actively using cybercrime to fund its government.
Previously, the group focused on hacking banks but has shifted to targeting cryptocurrency firms over the past five years. The crypto industry is less regulated and lacks the strict security measures found in traditional finance.
Major Hacks Linked to Lazarus Group:
- 2019: $41 million stolen from UpBit
- 2020: The FBI adds Lazarus Group members to its Cyber Most Wanted list
- 2020: $275 million stolen from KuCoin, though most of the funds were later recovered
- 2022: Ronin Bridge Attack, with $600 million stolen—one of the largest crypto heists in history
- 2023: Atomic Wallet hack, with $100 million stolen
Despite international sanctions and cybercrime investigations, Lazarus Group continues to evolve its tactics, making recovery efforts increasingly difficult.
Global Efforts to Stop Crypto Laundering
Governments and cybersecurity experts worldwide are working to tighten regulations and improve tracking methods to prevent similar large-scale thefts.
The U.S. Treasury, FBI, and international enforcement agencies continue to monitor and sanction North Korean cyber operations, but stopping these crimes remains a challenge.
The decentralized nature of cryptocurrency allows hackers to leverage anonymous transactions and exploit weaker exchanges to cash out stolen funds.
Despite their expertise, Lazarus Group’s ability to convert stolen assets into usable funds is becoming more difficult.
As mainstream crypto firms tighten security, hackers may need to rely on smaller, unregulated exchanges to launder funds. This makes them more traceable, providing opportunities for authorities to intercept future transactions.
ByBit’s ongoing bounty program and the collaborative efforts of crypto investigators could further disrupt Lazarus Group’s operations and increase asset recovery efforts.
The Lazarus Group’s $1.5 billion crypto heist has sent shockwaves through the digital finance industry. With $300 million already lost, the remaining funds are still in play.
While ByBit, law enforcement, and crypto experts work to block laundering efforts, the battle against state-backed cybercrime continues.
