North Korean Hackers Convert $300M from Record-Breaking $1.5B ByBit Heist into Untraceable Funds

• Mar 10, 2025

Hackers believed to be working for the North Korean regime have successfully laundered at least $300 million (£232 million) of stolen cryptocurrency, making it nearly impossible to recover. The massive heist, totaling $1.5 billion, targeted the crypto exchange ByBit in what is now one of the largest crypto thefts in history.

The ByBit Hack: A Game of High-Stakes Cat-and-Mouse

The attack, carried out by the infamous Lazarus Group, occurred two weeks ago when hackers manipulated ByBit’s digital wallet transactions. Since then, blockchain analysts and security teams have been in a race against time to track and block the stolen funds before they are fully laundered.

Cybersecurity experts say Lazarus Group operates nearly 24/7, using sophisticated methods to obfuscate their transactions. Analysts believe the stolen funds are being funneled into North Korea’s military and nuclear programs.

“Every minute matters for these hackers. They employ automated tools and years of experience to confuse the money trail,” said Dr. Tom Robinson, co-founder of crypto forensic firm Elliptic. “We can see that they take only a few hours of break daily, likely working in shifts to turn the stolen crypto into usable cash.”

The Laundering Process: North Korea’s Cyber Expertise

Elliptic’s investigation aligns with ByBit’s own tracking efforts, confirming that 20% of the stolen funds have already “gone dark,” making them nearly impossible to recover.

For years, the U.S. and its allies have accused North Korea of conducting cyber heists to fund its weapons programs. The Lazarus Group, linked to multiple high-profile hacks, is known to be exceptionally skilled at laundering stolen crypto.

Unlike traditional banking, cryptocurrency transactions occur on public blockchains, allowing investigators to follow the money. However, laundering methods such as mixing services and routing through unregulated exchanges make it difficult to freeze stolen assets.

How the Heist Happened

On February 21, the hackers infiltrated a ByBit supplier, altering a digital wallet address linked to a massive transaction of 401,000 Ethereum coins. ByBit, unaware of the tampering, sent the funds directly to the attackers instead of its own wallet.

Despite the loss, ByBit’s CEO Ben Zhou reassured customers that their funds were safe. The company has replenished the stolen funds with investor loans and is now taking aggressive action against the hackers.

ByBit’s Counterattack: A Bounty for Tracking Stolen Funds

ByBit has launched the “Lazarus Bounty” program, incentivizing the public to track the stolen funds. Because all cryptocurrency transactions are publicly recorded, blockchain analysts and everyday users can follow the movement of funds and report suspicious activity.

So far, 20 participants in the bounty program have received over $4 million in rewards for identifying $40 million of stolen funds, leading to successful blocking of transactions by crypto firms. However, experts warn that much of the remaining funds may never be recovered.

Uncooperative Exchanges and Crypto Laundering Challenges

One major challenge in stopping the laundering process is the lack of cooperation from certain crypto exchanges. ByBit and other security firms have accused the exchange platform eXch of failing to block illicit transactions, allowing over $90 million of stolen funds to be converted.

eXch’s owner, Johann Roberts, initially denied these accusations, citing an ongoing dispute with ByBit and uncertainty over the source of the funds. However, he later claimed his exchange is now cooperating with investigators. He also argued that blocking transactions based on suspicion undermines cryptocurrency’s foundational principles of privacy and anonymity.

North Korea’s Crypto Crimes: A Growing Threat

North Korea has never officially admitted links to the Lazarus Group, but experts say it is the only nation-state systematically using cyberattacks to generate revenue. While Lazarus initially targeted banks, it has increasingly focused on cryptocurrency platforms in recent years, which have weaker security measures.

Past North Korean-linked crypto heists include:

• 2019: $41 million stolen from UpBit

• 2020: $275 million theft from KuCoin (most funds recovered)

• 2022: $600 million Ronin Bridge attack

• 2023: $100 million stolen from Atomic Wallet

The U.S. has placed Lazarus Group members on its Cyber Most Wanted list, but as long as they remain in North Korea, arrests are unlikely.

The Future of Crypto Security

This latest heist underscores the urgent need for stronger security measures in the crypto industry. With North Korea’s sophisticated laundering techniques and an evolving cybercrime landscape, crypto exchanges must continue improving their defenses against such attacks.

Meanwhile, the battle to recover ByBit’s stolen funds continues—but for Lazarus Group, the clock is always ticking in their favor.