Lazarus Group Steals $1.5 Billion

By Charles Leigh on February 28, 2025

Executive Summary

On February 21, 2025, the North Korean linked cybercriminal gang called Lazarus Group used a sophisticated attack on one of Bybit’s cold wallets. The band orchestrated and completed the virtual heist and made away with over $1.5 billion worth of cryptocurrency. Lazarus exploited vulnerabilities in Bybit’s multi-signature wallet setup, bypassing security measures and gaining unauthorized access to private keys. Once inside the system, they were able to transfer funds through several untraceable channels, moving the stolen assets to mask their origins. This attack not only caused a significant financial loss for Bybit but also raised concerns about the security practices of centralized exchanges and the vulnerability of cold wallets to targeted, high-level digital attacks.

Background

A North Korean Hacker crew was able to steal the largest amount of Ethereum to date [1]. The faction, believed to be Lazarus, targeted a major cryptocurrency platform by using phishing schemes and malware. They were able to transfer Ethereum valued at over $600 million to various block chain accounts.

 

Lazarus is a state sponsored hacking faction sponsored by North Korea. They are believed to be one of the many cybergroups operating under the Reconnaissance General Bureau (RGB), the intelligence agency of North Korea [5]. The bandits are responsible for a number of Tech-based thefts with the end goal of using the stolen booty to fund North Korea’s Nuclear program [2]. 

 

Lazarus has committed multiple high profile digital crimes such as the Ronin Network Crack in 2022 ($624 million), BNB Bridge hack 2022 ($586 million), and Poly network Hack 2021 ($611 million). In the last five years Lazarus has stolen over $2.408 billion for North Korea. These funds are believed to be used by the North Koreans to support the weapons program while escaping international sanctions.

Impact

The impact of the largest Ethereum theft by North Korean hackers is significant. The heist caused great financial losses. The platform and its users suffered massive losses. The platform lost millions of dollars including the users’ investments. There are national security implications because North Korea is funding its nuclear and military programs with the stolen cryptocurrency [4]. This unprecedented theft not only highlights the vulnerabilities within the cryptocurrency industry but also underscores the geopolitical and security risks posed by state sponsored virtual attacks.

Mitigation

The mitigation strategies that should be in place after the attack on Bybit are to strengthen multi-signature protocols and enhance Cold wallet security [3]. Bybit can correct the wallet setup vulnerabilities that were exposed by the hack. Cold wallets are thought to be secure because they store private keys offline, protecting them from intrusion, malware, and phishing. They are not immune to other types of breaches. The access controls should be stronger. Bybit can correct the multi-signature wallet setup vulnerabilities that were exposed. To prevent future breaches, Bybit must implement strong access controls, reinforce multi-signature protocols, and enhance cold wallet security, ensuring that offline storage remains resilient against emerging threats.

Relevance

The Lazarus Group’s theft of 1.5 million in cryptocurrency is a grim reminder of the growing threat of cybercriminals. The attack highlights vulnerabilities in digital finance. It shows that even advanced blockchain security can be circumvented. Incidents like this undermine trust in cryptocurrency markets, potentially affecting how people invest in those markets. Stolen money could also fund global threats, disrupt economies, and exploit emerging technologies.

References

[1] Lakshmanan, R. (2025, February 22). Bybit confirms Record-Breaking $1.5 billion crypto heist in sophisticated cold wallet attack. The Hacker News. https://thehackernews.com/2025/02/bybit-confirms-record-breaking-146.html

[2] Lyngaas, S. (2025, February 24). North Korean hacker steal record$1.5 billion in single crypto hack, security firm says. CNN. https://www.cnn.com/2025/02/24/politics/north-korean-hackers-crypto-hack/index.html?utm_source

[3] O’Neill, A. (2025, February 25). Confronting credit headwinds, Crypto,Cyber,& tech disruption. S&P Global. https://www.spglobal.com/ratings/en/research/articles/250225-digital-assets-brief-bybit-hack-underlines-importance-of-cyber-resilience-13426701?utm_source

[4] Park, J. (2021). The Lazarus Group: The Cybercrime Syndicate FINANCING The North Korea State. Harvard International Review.

[5] Ranxburgaj, E., & English, G. (2025, February 22). North Korea feared to be behind ‘worst hack in history’ as Kim’s goons took £1Billion in world’s biggest crypto heist. The Scottish Sun. https://www.thescottishsun.co.uk/money/14382154/worst-hack-history-cybercriminals-steal-crypto-ethereum-bybit/?utm_source=chatgpt.com