Hackers linked to the North Korean dictatorship pulled off the biggest heist in history last week, looting an estimated $1.5 billion in cryptocurrency from Bybit, an exchange based in Dubai.
If estimates of the stolen crypto’s value hold up, the Bybit data breach will go down as the biggest bank robbery in history, eclipsing the $1.3 billion crypto heist perpetrated by North Korean hackers in 2024 and dictator Saddam Hussein’s theft of over $1 billion from the central bank of Iraq in 2003.
Cybersecurity firm Chainalysis described the record heist as a “stark reminder” of the danger posed by North Korean hackers, who are skilled not only at writing malicious code, but also at “social engineering” – in essence, the art of tricking victims into giving up vital security information or installing malware on their computer using fake websites, scam emails, and chat room encounters.
Bybit issued a formal statement about the theft on February 21, after the company’s security team detected “unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process.”
“Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet,” the statement said.
“Cold wallets” are cryptocurrency storage systems that are not connected to the Internet in any way. This makes the cold storage system inaccessible to hackers, but of course it also makes the cryptocurrency useless until it has been “thawed out” by moving it to a “hot wallet” that has online access, much like taking meat out of a freezer and defrosting it for a meal. The encryption keys required to access a cold wallet can be stored on a simple USB dongle or thumb drive.
When Bybit moved its Ethereum virtual currency from cold storage to a hot wallet on February 21, hackers were able to steal about 400,000 of the digital coins, valued at over $1.5 billion at the time of the theft.
Bybit assured its customers that their investments remained “fully secured,” the massive theft was an “isolated incident,” and the company would work with “leading blockchain forensic experts to trace the stolen funds and resolve the situation.”
A blockchain analysis firm called Elliptic was able to trace the stolen cryptocurrency, and determined that techniques employed to launder the money were characteristic of North Korean state-sponsored hackers, who are the most active crypto thieves in the world.
Ben Zhou, chief executive officer of ByBit, during the Token2049 conference in Singapore, on Thursday, Sept. 14, 2023. (Photographer: Joseph Nair/Bloomberg via Getty Images)
Deeper dives into how the theft was executed strongly suggested that the North Korean thieves were able to obtain legitimate security credentials and masquerade as Bybit employees, executing malicious transactions with valid electronic signatures. This apparently involved both “social engineering” and some extremely sophisticated electronic warfare.
To summarize a complex operation as succinctly as possible, the North Koreans were apparently able to sabotage the user interface (UI) of the third-party company that processed the movement of cryptocurrency from Bybit’s cold to hot wallets. The people processing this transaction thought they were making legitimate transfers using their valid ID codes and digital keys, but the hijacked user interface actually dumped the money into accounts controlled by the hackers.
The Bybit theft has rocked the cryptocurrency world, because until now, few security analysts thought such a hijacking of end-user software was possible. The hack was akin to clever thieves driving a fake armored car up to a bank and tricking bank employees into tossing them bags full of money.
“This attack proves that UI manipulation and social engineering can bypass even the most secure wallets,” cybersecurity firm Check Point warned on Sunday.
As of Tuesday, the security world was convinced the perpetrator of the Bybit heist was an infamous North Korean cybercrime outfit called the Lazarus Group, which steals money from exchanges around the world to finance dictator Kim Jong-un’s nuclear weapons program. Elliptic called them “the most sophisticated and well-resourced launderer of cryptoassets in existence.”
The Lazarus Group is believed to be a division of the Reconnaissance General Bureau, North Korea’s spy agency. Among its most notorious previous exploits was the 2014 hack of Sony, an effort to embarrass and intimidate the studio out of releasing a movie called The Interview that mocked Kim Jong-un and concluded with his fictionalized death after a string of comedic mishaps.
The Lazarus Group is also believed to have stolen almost a billion dollars from a bank in Bangladesh in 2016, and orchestrated the massive WannaCry ransomware attack in 2017, a global campaign that corrupted data in hundreds of thousands of computers around the world but evidently brought in very little money for the hackers.
Cybersecurity experts generally praised Bybit for responding to the North Korean attack as quickly and effectively as possible.
“Incredible response and leadership over the last couple of days – truly a masterclass in crisis management, communication, and transparency,” applauded Achorage Digital co-founder Nathan McCauley.
On Tuesday, Bybit co-founder and CEO Ben Zhou declared “war” on the Lazarus Group, inviting security firms, analysts, and white-hat hackers around the world to enlist as “bounty hunters” to bring the North Koreans down.
Zhou created a website called lazarusbounty.com that would provide “full transparency on the sanctioned Lazarus money laundering activities.” The idea is for “bounty hunters” to link their crypto wallets to the website and then report every attempt the Lazarus Group makes to launder its $1.5 billion in stolen cryptocurrency.
“We will not stop until Lazarus or bad actors in the industry is eliminated. In the future we will open it up to other victims of Lazarus as well,” Zhou said. “LET THE HUNTING SEASON BEGIN!”
Elliptic was quick to join the campaign, furnishing the addresses of over 11,000 crypto wallets that might be linked to the Bybit heist. Zhou thanked Elliptic for its contributions on Tuesday, saying his company’s security team and clients “really appreciate the effort and work put into helping us.”
