How North Korea stole $1.5 billion of ETH

As Donald Trump orders creation of a strategic cryptocurrency reserve for the USA, North Korea is working hard to hack it. This is demonstrated by the biggest theft of all time - $1.5 billion – by the North Korean Lazarus Group from Bybit.

How could this happen?

Well, Chainalysis breaks it down nicely into a step-by-step approach using social engineering and multiple anonymous accounts to launder the crypto undetected. How can that be, as every movement of cryptocurrency is tracked by blockchain tech? Oh, see Step 4:

1. The compromise: The hackers gained access to a Safe developer’s computer to control the Safe UI that was specifically used for Bybit transactions. They then added the malicious JavaScript snipped to the frontend code, to make it appear that Bybit was signing a legitimate transaction, when in fact it was a malicious one.
2. Initiation of unauthorized transfers: During what appeared to be a routine transfer from Bybit’s Ethereum cold wallet to a hot wallet, Bybit unknowingly signed the malicious transaction, enabling the attackers to move approximately 401,000 ETH — valued at nearly $1.5 billion at the time of the exploit — to addresses under their control.
3. Asset dispersion through intermediary wallets: The stolen assets were then moved through a complex web of intermediary addresses. This dispersion is a common tactic used to obfuscate the trail and hinder tracking efforts by blockchain analysts.
4. Conversion and laundering: The hackers swapped significant portions of the stolen ETH for tokens including BTC and DAI. They also utilized decentralized exchanges (DEXs), cross-chain bridges, and a no-KYC instant swap service to move assets across networks.
5. Keeping funds dormant and strategic laundering: A notable portion of the stolen funds has remained idle across various addresses, a deliberate move often employed by North Korea-affiliated hackers. By delaying laundering efforts, they aim to outlast the heightened scrutiny that typically immediately follows such high-profile breaches.

Step 4 seems to be the key part. That’s complicated but there are answers, as Chainalysis point out:

The inherent transparency of blockchain technology presents a significant challenge for malicious actors attempting to launder stolen funds. Every transaction is recorded on a public ledger, enabling authorities and cybersecurity firms to trace and monitor illicit activities in real time.

I guess this is why Bybit CEO Ben Zhou has launched a $140 million bounty to recover the funds and asked for “coordinated global action” to “take down Lazarus”.

What does this mean?

The hackers hack the hackers.

In other words, the global cryptocurrency community try to track and trace the transactions through Lazarus Group’s anonymous wallets on the blockchain to find their final destinations. Hmmm … that does not sound easy to me.

Attacks by North Korean groups on cryptocurrency exchanges have been growing for years. Chainalysis note that in their 2025 Crypto Crime Report that “North Korea-affiliated hackers stole approximately $660.5 million across 20 incidents in 2023. In 2024, this number increased to $1.34 billion stolen across 47 incidents — a 102.88% increase in value stolen”, and about 61% of the $2.2 billion stolen globally.

And where are these millions and billions going?

It is perceived that the proceeds of The Lazarus Group’s audacious thefts are to fund the North Korea’s nuclear and missile programmes. Hmmm … who said that crypto is for criminal activities?