Hackers linked to the North Korean regime have successfully laundered at least $300 million of the staggering $1.5 billion they stole in a massive cyberattack on crypto exchange ByBit. The notorious Lazarus Group, known for its cybercrime expertise, managed to obscure the stolen digital assets, making them virtually impossible to recover.
The heist, which took place two weeks ago, has triggered an intense effort to track and block the stolen funds before they are converted into usable cash. However, experts believe the hackers are working around the clock, potentially funneling the money into North Korea’s military and nuclear programs.
“Every minute matters for the hackers who are trying to confuse the money trail, and they are extremely sophisticated in what they’re doing,” said Dr. Tom Robinson, co-founder of crypto investigation firm Elliptic.
North Korea’s Crypto Laundering Expertise
According to Dr. Robinson, North Korean cybercriminals have perfected the art of laundering stolen cryptocurrency.
“I imagine they have an entire room of people doing this using automated tools and years of experience. We can also see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash.”
Elliptic’s findings align with ByBit’s own assessment, which confirms that 20% of the stolen funds have “gone dark”, meaning they are unlikely to ever be retrieved.
The U.S. and its allies have long accused North Korea of orchestrating a series of cyber heists to fund its weapons programs. This latest attack involved hacking one of ByBit’s suppliers on February 21, allowing the criminals to secretly reroute 401,000 Ethereum coins into their own wallets instead of ByBit’s.
Also Read: Ceasefire Push: Is Ukraine Yielding Under U.S. Pressure?
ByBit’s Fight Against Lazarus
ByBit CEO Ben Zhou has reassured customers that their funds remain safe, as the company has replenished the stolen assets through investor loans. However, ByBit is taking an aggressive stance against the hackers, launching a “Lazarus Bounty” program that incentivizes individuals to track and freeze the stolen crypto.
Since all cryptocurrency transactions are recorded on public blockchains, it is possible to monitor how the Lazarus Group moves the stolen funds. If the hackers attempt to cash out through mainstream crypto platforms, those exchanges can freeze the assets upon identifying them as proceeds of cybercrime.
So far, 20 people have earned over $4 million in rewards for successfully identifying $40 million of the stolen funds, leading to blocked transfers.
Crypto Firms Divided on Blocking Stolen Funds
Despite efforts to stop the laundering, not all crypto exchanges have cooperated. ByBit has accused rival platform eXch of enabling the hackers, allowing them to cash out over $90 million.
Johann Roberts, the elusive owner of eXch, denied the allegations, arguing that his company initially did not intervene due to an ongoing dispute with ByBit and uncertainty over the funds’ origins.
“He says he is now co-operating, but argues that mainstream companies that identify crypto customers are betraying the private and anonymous benefits of cryptocurrency.”
North Korea’s Growing Cybercrime Industry
North Korea has never acknowledged its involvement in the Lazarus Group, but it remains the only nation known to use cybercrime as a major financial strategy. While the group previously targeted banks, its focus has shifted to cryptocurrency, which lacks strict security measures and enforcement mechanisms.
Some of the most significant crypto heists linked to North Korea include:
- 2019 UpBit hack – $41 million stolen
- 2020 KuCoin attack – $275 million stolen (most funds later recovered)
- 2022 Ronin Bridge hack – $600 million stolen
- 2023 Atomic Wallet breach – $100 million stolen
In 2020, the U.S. added Lazarus Group members to its Cyber Most Wanted list, but experts say the likelihood of arrests remains slim unless the hackers leave North Korea.