Kim Jong Un’s sting: How North Korea orchestrated the biggest cyber heist in history

It all happened overnight and in a matter of minutes. Ben Zhou, CEO of the cryptocurrency exchange Bybit, made a series of routine transfers from his home computer. A short while later, his company called to inform him that his reserves of Ethereum, the second most-used cryptocurrency after Bitcoin, worth $1.5 billion, had vanished. By then, the ethers had already been transferred to thousands of other people’s digital wallets. Bybit had just suffered the largest theft in history. Five days later, the FBI confirmed what some analysts suspected from the outset: the attack was the work of Lazarus, a hacking group supported by the North Korean government that has become the scourge of the crypto sector.

Zhou went out of his way to appear calm on social media immediately after the cyberattack, even sharing the heart rate displayed on his smartwatch to convey that everything was under control. The entrepreneur assured his clients affected by the theft that they would receive 100% of their deposits back. Fearing a panic in the sector, some of Bybit’s competitors, such as Byget, lent Zhou $100 million in interest-free ether to help repay their deposits, The New York Times reported.

But the damage was done. Less than 24 hours later, Bybit customers had withdrawn around $10 billion worth of cryptocurrency, almost half of the platform’s total managed volume. The value of Bitcoin, the benchmark cryptocurrency, fell 20% the day after the cyberattack, its worst day since the 2022 bankruptcy of FTX, the exchange run by Sam Bankman-Fried, the most popular crypto broker at the time.

Stealing $1.5 billion in one fell swoop isn’t easy. Lazarus, the umbrella term for the various hacking teams financed by North Korea, is reasserting itself as a global leader in cybercrime. Before the Bybit hack, the largest cyber theft on record, in 2022, was also their work: $625 million in ether stolen from a website related to the video game Axie Infinity. Cryptocurrencies are a goldmine for Lazarus: in 2024, they stole $1.34 billion worth of crypto in 47 incidents, according to a Chainalysis report. In 2023, they obtained $660 million through 20 separate attacks.

The heist of the century

A month has passed since the major heist, and forensic reports have revealed many details of the Lazarus operation. All the analysts consulted agree in describing it as a feat within the reach of very few, both due to its meticulous planning and the precision with which it was carried out. “The Bybit attack demonstrated an extremely high level of sophistication on the part of Lazarus. They combined social engineering, deep knowledge of DeFi [decentralized finance] infrastructures, and advanced persistence techniques to execute one of the most audacious cyber heists to date,” says Hervé Lambert, director of global operations at Panda Security.

The key to the North Korean hackers’ success is that they were able to intercept a cold wallet, one of those wallets without an internet connection, considered until now the most secure way of storing cryptocurrencies. Hence, Bybit stored its large reserves of Ethereum in one of them. How did they gain access to these funds? Bybit had to periodically transfer cryptocurrency from the cold wallet to a hot wallet (connected to the internet) to manage daily operations. That’s what Ben Zhou did from his home on February 21.

Or rather, that’s what he thought he was doing. The Lazarus hackers managed to intercept the transfers and redirect them to several accounts under their control. To achieve this, they attacked a third party: the provider of the wallet used by the exchange, the Safe{Wallet} platform. Lazarus managed to take control of the computer of one of Safe{Wallet}’s software developers and, once inside the platform’s infrastructure, inserted hidden malicious code into its application. This is what is known in the jargon as a supply chain attack, an attack on a technological partner of the victim.

“This surgically precise malware was designed to activate only under specific conditions, bypassing normal defenses,” Lambert explains. When Zhou initiated routine transfers from the cold wallet, the malicious code executed, manipulating the transactions to send them to the attackers’ wallets instead of legitimate ones. “Immediately after the transaction went through, the hackers covered their tracks: within two minutes, they uploaded new, clean versions of the JavaScript code to the Safe{Wallet} repository on AWS, removing the backdoor they had used. The entire attack happened so quickly and subtly that by the time Bybit detected the anomalous drain of its funds, it was too late: the ethers were controlled by Lazarus.”

Bybit launched a series of rewards for those who manage to block stolen cryptocurrencies, preventing their exchange. “This type of program is common, for example, when finding vulnerabilities in software or hardware [bug bounty], but its application as a response to a security incident is, to say the least, curious,” says José Rosell, CEO of S2Grupo.

They haven’t achieved much this way: five days after the attack, “more than $400 million had been moved, indicating an unprecedented level of operational efficiency,” according to a report by the specialized consulting firm TRM Labs. “The laundering process, as of February 26, 2025, includes transfers through multiple intermediary wallets, conversion into different cryptocurrencies, and the use of decentralized exchanges, and cross-chain bridges to obfuscate the trail.”

It is precisely the anonymity and rapid liquidity offered by cryptocurrencies, when compared to traditional banking, that makes them such a popular choice for illicit activities.

Stealing for the greater glory of the regime

Although no one officially recognizes it, many countries finance and support elite hacker groups known as APTs (advanced persistent threats). These are highly structured organizations with top-level professionals, whose capabilities are often on par with those of the secret services of major powers. With one difference: they supposedly operate without a flag. They usually engage in industrial espionage, sabotage, or the acquisition of military or other documents of strategic value.

North Korea’s approach is different. Its hacking teams are primarily focused on obtaining funds for the regime. And they have found cryptocurrencies to be a significant source of income. The recent Bybit hack ($1.5 billion) and Axie Infinity hacks ($660 million) are good proof of this. The specialized website TRM Labs estimates that North Korean hackers have acquired at least $5 billion in cryptocurrency since 2021 alone. And a report by the United Nations Security Council estimates that the funds provided by these groups account for half of the foreign currency flowing into North Korea.

It was Kim Jong Un, grandson of the founder of the dynasty of dictators, who deduced that the regime could make significant profit from cyberspace. According to journalist Anna Fifield in her book The Great Successor (2021), Kim bet on this as soon as he inherited the reins of the country in 2009. “Students who show potential [for computing] — some as young as 11 years old — are sent to special schools and then on to the University of Automation in Pyongyang,“ where “for five years, they are taught how to hack and how to create computer viruses,” writes Fifield.

The U.S. and U.K. secret services, as well as Microsoft, blame Lazarus for the 2017 release of WannaCry 2.0, the largest ransomware attack in history. This computer virus hijacked some 300,000 computers in 150 countries, including those in the U.K. healthcare system, and demanded a ransom in exchange for their release. Another high-profile case was the 2014 cyberattack against Sony Pictures, which was targeted for making a film that mocked Kim Jong Un. More recently, it emerged that Lazarus was able to place their hackers as employees in hundreds of technology companies to steal sensitive information and money.

“Our research team has identified new campaigns that demonstrate this group’s level of sophistication,” says Marc Rivero, Head of Security Research at Kaspersky. “One example is Operation DreamJob, also known as DeathNote, in which they used advanced malware to compromise employees of a nuclear company in Brazil.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition