Hackers from the infamous Lazarus Group are working nonstop to launder stolen funds from the massive ByBit cyberattack.
North Korea-Linked Hackers Launder Millions
Cybercriminals connected to North Korea have already converted at least $300 million from their recent $1.5 billion crypto heist. The attack, which happened two weeks ago, saw the Lazarus Group drain digital tokens from ByBit, a major crypto exchange.
Since the theft, investigators have been racing to track and freeze the stolen money before the hackers can convert it into usable cash. Experts say these criminals work around the clock, possibly funding North Korea’s military programs.
“Every second counts for these hackers. They are experts at covering their tracks,” said Dr. Tom Robinson, co-founder of crypto investigation firm Elliptic.
Robinson noted that North Korea has mastered cryptocurrency laundering. “I suspect they have a whole team using advanced software and years of experience. Their activity suggests they work in shifts, stopping only for brief breaks to avoid detection.”
Analysis from Elliptic supports ByBit’s findings. About 20% of the stolen funds have already disappeared, making them nearly impossible to recover.
How ByBit Responded to the Cyberattack
The U.S. and its allies have long accused North Korea of funding its nuclear and military programs through cyberattacks.
On February 21, hackers exploited a vulnerability in a ByBit supplier. They secretly changed the digital wallet address for 401,000 Ethereum tokens. ByBit believed it was transferring funds to its own account, but the money went straight to the hackers.
ByBit CEO Ben Zhou assured customers their funds were secure. To recover losses, the company secured emergency loans and launched a counterattack against the Lazarus Group.
ByBit also introduced the Lazarus Bounty Program. This program offers rewards to anyone who helps track and freeze stolen funds. Since all cryptocurrency transactions are recorded on the blockchain, investigators can follow the hackers’ movements. If the criminals try to convert stolen crypto into traditional currencies, exchanges can freeze their assets.
So far, 20 people have received over $4 million in rewards for identifying $40 million in stolen funds. However, experts doubt the rest of the money will be recovered due to North Korea’s sophisticated laundering techniques.
“North Korea’s isolation allows it to develop a massive cybercrime network. They don’t care about international reputation,” said Dr. Dorit Dor of cybersecurity firm Check Point.
The Battle Against Crypto Laundering
Not all crypto exchanges are actively blocking the criminals.
ByBit and other exchanges have accused eXch, a crypto trading platform, of allowing hackers to cash out. Over $90 million in stolen funds have passed through eXch.
Johann Roberts, eXch’s owner, denies wrongdoing. He admits the platform initially failed to freeze the stolen funds, citing a long-standing dispute with ByBit. However, he insists the exchange is now cooperating with investigators. Roberts also argues that tracking users goes against the core principle of cryptocurrency—privacy.
North Korea has never admitted to running the Lazarus Group. However, experts believe it is the only country that consistently uses cybercrime to raise funds. While the group once targeted banks, they now focus on crypto exchanges, which often have weaker security and fewer anti-money laundering measures.
North Korea’s Crypto Heists Over the Years
Lazarus Group has been linked to several major crypto thefts:
- 2019: UpBit hack – $41 million stolen
- 2020: KuCoin hack – $275 million stolen (most recovered)
- 2022: Ronin Bridge attack – $600 million stolen
- 2023: Atomic Wallet breach – $100 million stolen
In 2020, the U.S. placed suspected Lazarus Group members on its Cyber Most Wanted list. However, as long as they remain in North Korea, arrests seem unlikely.
The ongoing ByBit investigation highlights the growing challenge of stopping cybercriminals who operate with state backing. Until tougher regulations and enforcement are in place, North Korea’s hackers will likely continue to exploit cryptocurrency for financial gain.
For more updates on this story, visit New York Mirror.