Hackers linked to the North Korean regime have successfully converted at least $300 million of their record-breaking $1.5 billion crypto heist into unrecoverable funds. The cybercriminal group, known as Lazarus, orchestrated the massive theft by breaching crypto exchange ByBit two weeks ago.
Since then, efforts to track and block the hackers from laundering the stolen funds have turned into a high-stakes game of cat and mouse.
Cybersecurity experts believe the hackers are working around the clock, likely funneling the money into North Korea’s military and nuclear programs. Dr. Tom Robinson, co-founder of crypto investigation firm Elliptic, describes the group as highly sophisticated and methodical in obscuring their financial trail. He notes that they appear to operate in shifts, pausing only briefly each day, using automated tools and years of experience to convert the stolen funds into usable assets.
Elliptic’s latest analysis aligns with ByBit’s findings, confirming that 20% of the stolen funds have “gone dark”—meaning they are unlikely to ever be recovered. The U.S. and its allies have repeatedly accused North Korea of using cyberattacks as a primary source of funding for its military ambitions, and this latest hack is the most significant in a string of high-profile cybercrimes attributed to the Lazarus Group.
On February 21, the hackers infiltrated one of ByBit’s suppliers, covertly modifying the digital wallet address that was set to receive 401,000 Ethereum coins. ByBit, believing it was transferring funds to its own secure wallet, instead unwittingly sent the massive sum directly to the hackers.
Despite the staggering loss, ByBit CEO Ben Zhou reassured customers that their funds remained untouched. The exchange has since replenished the stolen assets with loans from investors and is now actively fighting back against Lazarus. Zhou describes their response as “waging war” on the hackers, launching the ByBit Lazarus Bounty program, which incentivizes the public to help track and freeze the stolen funds wherever possible.
Because all cryptocurrency transactions are recorded on a public blockchain, experts can trace the movements of the stolen assets. If Lazarus attempts to cash out through a mainstream crypto exchange, the funds can potentially be frozen by security teams. So far, the bounty program has seen some success. More than 20 individuals have earned a combined $4 million in rewards for identifying and flagging $40 million in stolen funds, leading to blocked transactions.
However, cybersecurity experts remain skeptical about the chances of recovering the remaining funds. Dr. Dorit Dor, an executive at Check Point, a leading cybersecurity firm, explains that North Korea operates in an entirely closed economy and has built an entire industry around hacking and money laundering. Unlike other criminal organizations that might fear reputational damage, North Korea’s state-sponsored hacking groups continue their cyber activities with impunity.
Further complicating efforts to recover the stolen assets is the lack of cooperation from some cryptocurrency exchanges. ByBit and other investigators have accused the crypto exchange eXch of failing to prevent the hackers from cashing out. More than $90 million of the stolen funds have reportedly been laundered through this platform.
eXch’s owner, Johann Roberts, has pushed back against the allegations, arguing that his company initially failed to block transactions because it was in a long-running dispute with ByBit. He also claims his team was uncertain whether the funds were directly tied to the hack. While he now states that eXch is cooperating with investigations, he also criticizes mainstream crypto platforms for implementing customer identification measures, which he believes undermine the core principles of cryptocurrency privacy and anonymity.
Although North Korea has never officially acknowledged its involvement with the Lazarus Group, the country is believed to be the only nation-state using hacking as a primary means of financial gain. While Lazarus initially focused on traditional financial institutions, the group has shifted its focus in recent years to cryptocurrency platforms, which often have weaker security measures.
The ByBit attack is the latest in a series of high-profile heists linked to North Korea, including:
- The 2019 hack of UpBit, which resulted in the theft of $41 million
- The 2020 theft of $275 million from KuCoin, though most of those funds were eventually recovered
- The massive 2022 Ronin Bridge attack, where hackers stole $600 million in crypto
- The 2023 attack on Atomic Wallet, which led to the loss of approximately $100 million in crypto
In response to the growing threat posed by North Korean cybercriminals, the U.S. government has added several suspected Lazarus Group members to its Cyber Most Wanted list. However, given North Korea’s isolation and strict control over its citizens, the likelihood of these individuals being arrested remains extremely low unless they travel outside the country.
As the crypto industry grapples with the impact of this latest heist, experts continue to warn that without stronger security measures and better cooperation between exchanges, North Korean hackers will likely strike again. While efforts to freeze and recover stolen funds have had some success, Lazarus has proven to be a formidable adversary, adapting to security improvements and refining its laundering techniques with each new attack.
With hundreds of millions of dollars still unaccounted for, the battle to track and contain the stolen funds is far from over.
