North Korean Hackers Launder $300M from ByBit Heist

North Korean Hackers Launder $300 Million from ByBit Crypto Heist—The Largest to Date

In what is being described as the largest cryptocurrency heist ever, the North Korean hacker group Lazarus has successfully laundered at least $300 million out of a record-breaking $1.5 billion stolen in an attack on the ByBit crypto platform just two weeks ago.

How the Heist Was Carried Out

The attack was executed through a wallet address manipulation scheme—hackers intercepted and altered the destination of cryptocurrency transfers. Instead of funds reaching ByBit’s platform, approximately 401,000 Ethereum (ETH) tokens were redirected into wallets controlled by Lazarus.

This attack marks a continuation of North Korea’s growing reliance on cybercrime as a means of funding its government, including its military and nuclear programs. The U.S. has repeatedly accused Pyongyang of using state-sponsored hacking groups like Lazarus to bypass international sanctions and finance its regime.

Lazarus: A Well-Oiled Cybercrime Operation

Lazarus Group is widely regarded as one of the world’s most sophisticated hacking collectives, with a track record of high-profile cyberattacks. According to Dr. Dorit Dor, a cybersecurity expert from Check Point, North Korea has built an entire industry around hacking and money laundering.

"They don't care about reputation or regulatory scrutiny. Their only goal is to access funds," Dor explains.

Advanced Tactics to Evade Detection

The hackers operate around the clock using sophisticated obfuscation techniques to cover their tracks. Dr. Tom Robinson, co-founder of crypto analytics firm Elliptic, describes Lazarus as a "factory-like operation," with multiple teams working in shifts to systematically launder stolen crypto assets.

"Lazarus never stops. Their ability to erase transaction trails and obfuscate funds is unparalleled in the crypto crime ecosystem," Robinson explains.

Elliptic’s analysis aligns with statements from ByBit itself, which reports that 20% of the stolen funds have already vanished, making recovery highly unlikely.

Crypto Exchanges Complicit in Laundering?

Despite global efforts to crack down on illicit crypto transactions, some exchanges remain uncooperative or slow to respond. One such platform, identified as eXch, allegedly facilitated the laundering of over $90 million linked to the ByBit heist.

While eXch CEO Johann Roberts has since stated in an email that the company is willing to assist in tracking the stolen funds, he admitted that they did not immediately freeze the transactions due to an ongoing legal dispute with ByBit and uncertainty over whether the funds were hacked or simply moved by traders.

A History of High-Stakes Cyber Heists

Lazarus Group has shifted its focus from traditional bank cyber heists to cryptocurrency platforms, as the latter often have weaker security measures and a lack of global regulatory oversight.

Some of the most significant cyberattacks attributed to the group include:

• 2019: UpBit Hack – Stolen funds: $41 million
• 2020: KuCoin Attack – Stolen funds: $275 million (most funds recovered)
• 2022: Ronin Bridge Exploit – Stolen funds: $600 million (largest crypto hack before ByBit)
• 2024: Atomic Wallet Breach – Stolen funds: $100 million

Despite several Lazarus Group members being placed on the FBI’s most-wanted cybercriminal list, their location in North Korea shields them from extradition or prosecution.

The Race to Recover Stolen Crypto

In response to the hack, ByBit has launched the “Lazarus Bounty” program, incentivizing blockchain analysts and law enforcement to track and freeze stolen assets. So far, $40 million in funds have been identified and locked, and $4 million in rewards have been distributed to those who contributed to the effort.

However, cybersecurity experts remain skeptical about the likelihood of recovering a significant portion of the remaining funds. The speed and precision with which Lazarus launders stolen assets make it incredibly difficult for authorities to intercept the money before it is fully laundered through mixers, privacy coins, and shell accounts.

The Global Implications of Crypto-Based Cybercrime

The ByBit attack underscores a growing global challenge—how to prevent state-sponsored hacking groups from exploiting cryptocurrency networks for illicit activities.

With cryptocurrency regulations still lagging behind traditional financial systems, hacker groups like Lazarus continue to exploit security vulnerabilities, using decentralized exchanges (DEXs), privacy-focused coins (like Monero), and blockchain mixers to obfuscate the movement of funds.

Experts warn that without stronger global cooperation and regulatory frameworks, the next billion-dollar crypto heist is only a matter of time.