Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive hack resulting in the theft of $1.5 billion in digital assets, primarily Ethereum. The breach occurred when an attacker exploited security vulnerabilities during a routine transfer from Bybit’s offline cold wallet to a warm wallet. While all other wallets remain secure, the incident has sparked a surge in withdrawal requests from concerned users.
Bybit is working with law enforcement and blockchain experts to recover stolen assets while warning users about scammers posing as exchange officials. The company has also called on top cybersecurity experts and crypto analysts to aid in the recovery effort, offering a reward of 10% of the retrieved funds—potentially up to $140 million. Meanwhile, Bybit CEO Ben Zhou assured customers that their assets are fully backed and that the company remains solvent, having secured a bridge loan to cover any potential losses.
Blockchain analysis firms, including Elliptic and Arkham Intelligence, have been tracking the stolen funds, as they were swiftly moved across multiple wallets and liquidated through various platforms. While the identity of the hacker remains unconfirmed, analysts have linked the attack to North Korea’s Lazarus Group, a notorious state-sponsored cybercriminal organization. The group has a history of targeting cryptocurrency platforms to fund North Korea’s regime, using sophisticated laundering techniques to obscure stolen assets.
In response to the hack, a coordinated effort among exchanges has led to the freezing of nearly $43 million in stolen funds within two days of the breach. Bybit confirmed that multiple platforms, including THORChain, Coinex, ChangeNow, and Avalanche, have restricted access to assets linked to the North Korean hacking group. Stablecoin issuers Tether and Circle have also flagged suspicious addresses, with Tether freezing 181,000 USDT.
Below are some of The Readable’s stories related to the North Korean hacking group. More coverage can be found on The Readable’s website under the “North Korea” category.
1. North Korea hacked $1.34B in cryptocurrency over seven years, a think tank reveals
North Korea has stolen $1.34 billion in cryptocurrencies over the past seven years, according to South Korea’s Institute for National Security Strategy (INSS). This amount accounts for 20 percent of North Korea’s total illicit foreign currency earnings.
On August 27, the Institute for National Security Strategy (INSS), a research institute focused on South Korea’s security strategy, released its second strategic report on North Korea’s foreign currency earnings. The report states that since 2017, the United Nations Security Council has imposed sanctions on North Korea’s foreign currency earnings to curb its missile development. Despite these sanctions, North Korea managed to earn $6.29 billion through illicit means between 2017 and 2023. Of this total, approximately $1.35 billion was obtained through hacking, with the majority coming from cryptocurrency theft.
The report revealed that North Korea has hacked cryptocurrencies valued at approximately $1.34 billion over the past seven years. In addition, around $6.1 million was stolen in various currencies through the hacking of banks or financial systems. However, most of the attempts to steal traditional currencies were either recouped or resulted in failed hacks. READ MORE
2. North Korean hackers target Google browser to steal cryptocurrency, Microsoft says
A North Korean government-backed hacking group exploited a vulnerability in Google’s open-source browser to steal cryptocurrency, according to Microsoft.
In a blog post, Microsoft Threat Intelligence and the Microsoft Security Response Center revealed that on August 19, they identified a North Korean hacking group exploiting a vulnerability in Google Chromium, an open-source browser. Microsoft stated that this exploit involves a zero-day vulnerability, meaning the hackers targeted the system before a security patch was available.
Microsoft has identified the threat actor as ‘Citrine Sleet,’ a group linked to Bureau 121 of North Korea’s Reconnaissance General Bureau, a cyberwarfare agency. This actor exploited a vulnerability in Chromium, known as ‘CVE-2024-7971,’ to distribute malware. READ MORE
3. North Korean hackers laundered $150K in crypto through Cambodian payment firm
North Korea-linked hackers transferred $150,000 in cryptocurrency to a Cambodian payment company over an eight-month period to facilitate money laundering, Reuters reported on Tuesday.
The hacking group known as Lazarus transferred cryptocurrency worth $150,000 (approximately 208 million won) to the Cambodian payment platform Huione Pay from an anonymous digital wallet. According to Reuters, Lazarus used the firm to launder the funds over an eight-month period, from June 2023 to February 2024.
Two blockchain analysts who spoke with Reuters stated that the transferred cryptocurrency is theft proceeds stolen by Lazarus from three cryptocurrency companies in June and July of the previous year. The hacking group primarily used phishing attacks to gather the money. READ MORE
4. US Treasury report: North Korean hackers stole $720 million of virtual assets
The United States Department of the Treasury revealed that hackers affiliated with the North Korean government stole $720 million worth of virtual assets, funds allegedly diverted to fuel the development of illegal weapons.
On Wednesday, the U.S. Treasury released a groundbreaking report titled ‘Illicit Finance Risk Assessment of Non-Fungible Tokens.’ In this inaugural report, the U.S. government delved into the potential misuse of Non-Fungible Tokens (NFTs) and NFT platforms by illicit actors for money laundering and financing terrorist activities.
The report specifically highlighted North Korea’s exploitation of virtual assets through extortion. North Korean hackers targeted digital asset projects and firms, amassing over 720 million (approximately 1 trillion won) in 2022 alone. It is assumed that this substantial sum constituted a significant portion of the North Korean government’s revenue derived from malicious cyber activities. These illicit funds were purportedly funneled into the development of ballistic missile programs and weapons of mass destruction. READ MORE
5. North Korean hacking group shifts to new crypto mixer after US sanctions, researchers reveal
The Lazarus Group, widely recognized for its affiliations with the North Korean government, is reportedly shifting its focus towards a new cryptocurrency mixing service to launder its illicit proceeds. This development was highlighted by a United States-based blockchain analysis firm on Thursday.
According to a report by Chainalysis, YoMix has become the preferred cryptocurrency mixer for the North Korean hacking group, Lazarus Group. The firm observed a notable shift in the movement of virtual assets, highlighting that in January, the hackers received funds from YoMix into a wallet that had previously been used to receive funds from another cryptocurrency mixer, Sinbad, in October of the previous year.
The researchers refrained from disclosing the specific amount of digital assets processed by the Lazarus Group through YoMix. However, the report revealed that last year, YoMix experienced a significant surge in its monetary transactions, witnessing an increase of more than fivefold over the course of the year. Notably, around one-third of these funds originated from wallets associated with cryptocurrency thefts. READ MORE
