Lazarus Group, a North Korean state-sponsored hacking collective, has successfully laundered at least $300 million from their record-breaking $1.46 billion crypto heist, investigators say. The breach, which targeted the ByBit exchange, is one of the largest cryptocurrency thefts in history. Security experts warn the stolen funds are now nearly impossible to recover.
On February 21, hackers infiltrated one of ByBit’s suppliers and covertly modified a digital wallet address. The exchange, unaware of the breach, transferred 401,000 Ethereum coins—worth approximately $1.5 billion—to an address controlled by Lazarus instead of its own secure wallet. The theft triggered an urgent race by ByBit and blockchain investigators to track and block the stolen funds.
Dr. Tom Robinson, co-founder of the blockchain analysis firm Elliptic, described the laundering operation as highly sophisticated. “Every minute matters for the hackers who are trying to confuse the money trail,” Robinson said. He noted that Lazarus Group likely operates in shifts, using automated tools to rapidly convert the stolen assets.
According to Elliptic’s analysis, about 20% of the stolen funds—roughly $300 million—has already “gone dark,” meaning it is untraceable and unlikely to be recovered. The U.S. and its allies have repeatedly accused North Korea of financing its nuclear and military programs through cybercrime, and experts believe this latest heist is part of that broader strategy.
A Global Hunt for Stolen Funds
ByBit CEO Ben Zhou has assured customers that their assets remain secure, as the exchange replenished stolen funds through investor loans. However, Zhou has vowed to take the fight to the hackers, launching what he calls a “war on Lazarus.”
As part of its effort to reclaim stolen assets, ByBit has introduced the Lazarus Bounty program, which offers rewards for identifying and blocking suspicious transactions. So far, 20 individuals have received more than $4 million in payouts for helping freeze $40 million of the stolen crypto. The program encourages public participation, leveraging blockchain’s transparency to track illicit funds.
Despite these efforts, experts remain skeptical about the recovery of the remaining assets. North Korean hackers have mastered the art of laundering digital assets through decentralized exchanges and cross-chain bridges, making detection and seizure nearly impossible.
One significant hurdle in recovering the stolen funds has been inconsistent cooperation among cryptocurrency exchanges. ByBit has accused eXch, a rival exchange, of facilitating the laundering process, claiming that over $90 million of the stolen assets were funneled through its platform.
eXch’s owner, Johann Roberts, initially denied the allegations, stating that his company lacked clarity on whether the funds were connected to the heist. He later acknowledged cooperation with law enforcement but argued that strict identity verification requirements contradict cryptocurrency’s foundational principle of privacy.
North Korea’s Growing Cybercrime Network
Lazarus Group has evolved into one of the most formidable cybercriminal organizations in the world, shifting its focus from traditional banking fraud to targeting cryptocurrency platforms. The lack of industry-wide security protocols has made digital asset exchanges particularly vulnerable. North Korean hackers have been linked to major attacks, including a $308 million hack of a Japan-based cryptocurrency platform and more than $1.34 billion stolen from various crypto exchanges in 2024. Investigators have observed a growing use of AI tools to enhance phishing and social engineering attacks. There has also been an increase in targeting heists exceeding $100 million, with North Korea accounting for 35% of all stolen cryptocurrency funds worldwide in 2024.
Authorities have identified Park Jin Hyok as one of the hackers associated with the Lazarus Group. Park has been linked to previous major cyberattacks, including past breaches of financial institutions and cryptocurrency exchanges. Despite being on the U.S. Cyber Most Wanted list, the chances of his arrest remain slim as he continues to operate within North Korea’s tightly controlled cyber operations.
Dr. Dorit Dor, an executive at cybersecurity firm Check Point, emphasized North Korea’s unique approach.
“North Korea is a very closed system and closed economy, so they created a successful industry for hacking and laundering. They don’t care about the negative impression of cybercrime.”
Meanwhile, global authorities are grappling with how to combat cybercriminal organizations that operate beyond traditional jurisdictional reach. The challenge remains: tracking stolen crypto before it disappears into the digital abyss.
