Full Report
Cybersecurity researchers say North Korean hackers are behind the largest cryptocurrency heist in history and are actively laundering the more than $1.4 billion in cryptocurrency stolen from the Bybit exchange on Friday.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korean hackers and the hacking outfit Lazarus Group, an entity with known ties to the North Korean government. Attribution is based on "substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts."
## Activity Summary
The actor is responsible for the largest cryptocurrency heist in history, stealing more than $1.4 billion in cryptocurrency from the Bybit exchange on a Friday. The attack exploited a transfer from an offline cold wallet to an online hot wallet, allowing the intermediary to siphon off approximately 401,000 ETH coins. Following the theft, the actors engaged in immediate laundering activities.
## Tactics, Techniques & Procedures
- **Token Conversion:** Exchanging the stolen ETH tokens for "native" blockchain assets (Ether) to prevent freezing by token issuers.
- **Fund Layering:** Moving funds through a complex web of decentralized exchanges (DEXs), cross-chain bridges, and centralized exchanges to complicate tracing.
- **Systematic Emptying:** Distributing funds across numerous wallets (e.g., 50 wallets receiving 10,000 ETH each) before systematically emptying them.
- **Exploiting KYC Gaps:** Utilizing cryptocurrency exchanges that do not require Know Your Customer (KYC) protocols, such as eXch, for laundering.
## Targeting
- Sectors: Cryptocurrency Exchanges
- Geography: Not explicitly mentioned, but the actor is North Korean.
- Victims: Bybit cryptocurrency exchange (primary target); Infini crypto-focused bank (secondary incident mentioned in aftermath).
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but associated with known North Korean hacking techniques.
- **Infrastructure (C2, domains, IPs):** Use of decentralized exchanges (DEXs), cross-chain bridges, and centralized exchanges for laundering. Specifically mentioned use of the non-KYC exchange **eXch** for fund movement.
## Implications
This incident highlights the massive scale of financial motivation driving state-sponsored cyber operations from North Korea, which rely on cryptocurrency theft to fund state activities. The sophisticated and rapid laundering techniques underscore the challenges regulators and exchanges face in tracing and seizing these funds, especially when non-compliant exchanges are involved.
## Mitigations
- Industry-wide implementation of robust 'Know Your Customer' (KYC) protocols across all associated services to prevent exploiting anonymity gaps.
- Exchanges should closely monitor for "characteristic patterns" of Lazarus Group activity, such as rapid conversion from ERC-20 tokens to native ETH or BTC to evade potential freezing mechanisms.
- Researchers and law enforcement must collaborate to rapidly pressure and blacklist addresses on exchanges facilitating laundering activities.
- Implement rigorous security procedures for keys management, especially during transactions bridging cold and hot wallet environments.