Lazarus Group: The North Korean Hackers Behind Bybit’s $1.5 Billion Crypto Heist

👇1-11) North Korean hackers are behind most crypto attacks, deploying specialized teams focusing exclusively on a single exchange or crypto service provider. The Bybit exchange hack, which resulted in the loss of $1.46 billion in staked Ether and other ERC-20 tokens on February 21, 2025, stands as the largest crypto hack in history—twice the size of the second-largest breach. Notably, North Korean hacking groups like Lazarus have been linked to several major attacks, including Ronin ($625m), KuCoin ($285m), and the Binance Bridge ($570m).

Largest crypto hacks ($ millions at the time)

👇2-11) State-sponsored North Korean hackers initially targeted South Korean crypto exchanges because they often maintained escrow accounts holding Bitcoins in hot wallets connected to the internet. South Korea’s largest exchange (at the time), Bithumb, was raided at least four times. Usually, under the guise of being a trusted business partner, the hackers would plant malware on an exchange employee’s computer before finding ways to access the keys to the exchange’s hot wallets.

👇3-11) Moving large sums of cryptocurrencies around would be tough if the exchanges had adequate know-your-customer (KYC) and anti-money-laundering (AML) procedures. The preferred method for criminals to conceal a cryptocurrency trace is to use DeFi (decentralized finance) platforms and swap currencies without ever taking custody of the funds, as DeFi does not require any KYC or AML documentation. Based on data from Chainalysis, North Korean hackers used the DeFi protocol Uniswap to launder 275 million dollars of hacked cryptocurrencies from the KuCoin exchange on September 26, 2020. This was one of the largest hacks ever.

👇4-11) Eventually, hackers need to move stolen coins to an exchange or venue that can help them convert crypto back into fiat. However, to cover their tracks, criminal groups tend to leave sizable amounts of cryptocurrency untouched for many years after hacks.

👇5-11) In 2018, the Hong Kong-based exchange Bitfinex was hacked by the North Korean Lazarus Group for nearly 250 million dollars of cryptocurrencies—including ninety-five million dollars in Bitcoin and 141 million in Ethereum, plus smaller amounts of Zcash, Dogecoin, Ripple, Litecoin, and Ethereum Classic. The stolen coins were moved through other exchanges, with some of the Bitcoins then being transferred into an account held by Chinese citizens Tian Yinyin and Li Jiadong, who had successfully opened accounts at other exchanges using fake pictures and names. Tian moved more than thirty-four million dollars to his bank account, while Li used nine banks to funnel thirty-three million dollars.

👇6-11) Tian and Li are also believed to have laundered other misappropriated cryptocurrencies for North Korea after previous crypto exchange hacks, gaming the KYC process by uploading photoshopped government IDs and cashing out using several Chinese banks (several Chinese financial institutions offer accounts to North Koreans or front companies with relationships with the North Korean government). Both Tian and Li remain fugitives at large to this day.

👇7-11) The Lazarus Group is believed to be associated with the North Korean government and has been linked to cyberattacks and ransomware, which fund North Korea’s military ambitions. The attacks on South Korea’s crypto exchanges were executed similarly to the WannaCry hack that targeted Sony Pictures in May 2017, which is why experts have attributed many hacks to the Lazarus Group. Lazarus hackers would impersonate job recruiters and target specific individuals believed to have access to private keys. They would also use token offerings and social media to launch attacks.

👇8-11) Anne Neuberger, U.S. deputy national security advisor for cyber security, said in July 2022 that North Korea uses cybercrimes to gain financing for up to thirty percent of its missile program. North Korean hackers are sent to Shenyang in China for special training, and their hacking apprenticeship puts them through six years of special education. Chainalysis estimates North Korea stole approximately 1.7 billion dollars in cryptocurrencies in 2022 alone. Thirty million were recovered after analysts traced back the flow of funds that had moved through “crypto mixers”—DeFi protocols that can shuffle holdings of different users to obfuscate the funds’ origins. Some analysts believe North Korea was also behind the Coincheck hack in January 2018.

👇9-11) U.S. officials have also linked the Lazarus Group to the 625-million-dollar theft of the crypto game Axie Infinity in March 2022. The Axie Infinity blockchain was hacked via a fake LinkedIn job offer which duped a senior engineer at the company into applying for a job that did not exist. After multiple rounds of interviews, the engineer received a fake job offer delivered as a PDF document that he downloaded. This allowed spyware to infiltrate the Ronin Network, an Ethereum sidechain that Axie Infinity is built on, enabling the hacker to take control of four of the nine validators on the network. Validators create transaction blocks and update the data in crypto oracles (feeds that bring data from off-chain sources and put them on the blockchain for smart contract use).

👇10-11) North Korea has no free internet; the government controls online access. Every cyberattack is either explicitly authorized or directly orchestrated by the regime. The state handpicked and trained the country's hackers, with recruitment starting as early as age 11. These selected individuals receive special privileges, including spacious apartments and exemption from military service. The most talented are sent to China, North Korea’s closest remaining ally, for further training.

👇11-11) Since at least 2010, the Lazarus Group has been behind high-profile cyberattacks, mainly targeting Korean and Japanese crypto exchanges. These relentless breaches have led to significant financial losses and a decline in market share for affected platforms.