Business & MarketsMarkets NewsCryptocurrency

$1.4 Billion Crypto Heist Allegedly Linked to North Korean Hackers

Blockchain security analysts identified North Korean Lazarus Group as the primary suspect behind the heist.
Save
$1.4 Billion Crypto Heist Allegedly Linked to North Korean Hackers
A photo illustration of the Ethereum cryptocurrency in London on April 25, 2018. Jack Taylor/Getty Images
Bill Pan
Updated:
0:00

Bybit, the world’s second-largest cryptocurrency exchange, on Friday said hackers stole more than $1.4 billion worth of digital assets in what could be the single largest crypto heist in the industry’s 15-year history.

The Dubai-based firm said the breach happened while the company was making a routine transfer of Ethereum (ETH)—the second largest cryptocurrency by value after Bitcoin—from its offline “cold” wallet to its “warm” wallet that covers daily trading.

The transfer process involved multiple security checks and signatures, yet the hacker managed to mask the true destination of the funds before vanishing.

“Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit said in a post on social media platform X.

“As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

Ben Zhou, Bybit’s co-founder and CEO, has reassured customers that their funds are safe and that the exchange will fully reimburse those affected.

Related Stories
FDIC Acting Chair Says Crypto-Related Regulations for Banks Will Be Revamped
FDIC Acting Chair Says Crypto-Related Regulations for Banks Will Be Revamped
SEC Launches Task Force to Overhaul Crypto Policy
SEC Launches Task Force to Overhaul Crypto Policy
“Even if this hack loss is not recovered, all of the client’s assets are 1 to 1 backed—we can cover the loss,” Zhou wrote on X.
“Please rest assured that all other cold wallets are secure,” he wrote in a separate post, emphasizing that all withdrawals are operating normally. “If any team can help us to track the stolen fund will be appreciated.”
Blockchain security analysts, including Elliptic and Arkham Intelligence, have traced the attack to the Lazarus Group, a notorious cybercrime gang allegedly run by the government of North Korea.
Independent investigator ZachXBT further connected the Bybit hack to the Jan. 23 attack on Phemex, a crypto exchange that saw $29 million in digital assets drained. The same Lazarus Group-affiliated digital wallets were used in both attacks, ZachXBT said.
Lazarus Group has been accused of executing dozens of cryptocurrency heists to generate illicit revenue for North Korea’s heavily sanctioned communist regime. In 2024, Google identified North Korea as “arguably the world’s leading cyber criminal enterprise.”

The scale of crypto thefts attributed to North Korea has surged dramatically. According to blockchain intelligence firm Chainalysis, North Korean hackers stole over $1.34 billion worth of digital assets in 2024 across 47 separate incidents, more than doubling the $660 million stolen in 2023. These figures account for over 61 percent of the total crypto value stolen globally in 2024 and more than 20 percent of all hacking incidents that year.

Chainalysis also noted that attacks yielding $100 million or more occurred significantly more often in 2024 than in previous years. The change could mean that North Korean cybercriminals are “getting better and faster at massive exploits,” the report said.
On Jan. 14, the governments of the United States, Japan, and South Korea issued a joint statement warning about North Korea’s escalating cybercrime campaigns. The three countries accused Pyongyang of using stolen digital assets to fund its nuclear and ballistic missile programs.

As part of their warning, they urged the private sector to carefully review advisories from their respective authorities to enhance cybersecurity measures and reduce the risk of unknowingly hiring North Korean IT workers, who may be exploiting remote jobs to funnel earnings to the regime.

The DPRK’s cyber program “poses a significant threat to the integrity and stability of the international financial system,” the statement said, referring to North Korea by its official name, the Democratic People’s Republic of Korea.

“Our three governments strive together to prevent thefts, including from private industry, by the DPRK and to recover stolen funds with the ultimate goal of denying the DPRK illicit revenue for its unlawful weapons of mass destruction and ballistic missile programs.”

Bill Pan
Bill Pan
Reporter
Bill Pan is an Epoch Times reporter covering education issues and New York news.