Hackers thought to be working for the North Korean regime have successfully converted at least $300m (£232m) of their record-breaking $1.5bn crypto heist to unrecoverable funds.
Two weeks ago, the criminals, who are known as the Lazarus Group, broke into the cryptocurrency exchange ByBit and stole a large amount of digital tokens. Since then, it’s been a cat-and-mouse game to track and block the hackers from successfully converting the crypto into usable cash.
Experts say the infamous hacking team is working nearly 24 hours a day – potentially funnelling the money into the regime’s military development.
Dr. Tom Robinson, co-founder of crypto investigators Elliptic, states, “Every minute matters for the hackers who are trying to confuse the money trail and they are extremely sophisticated in what they’re doing.” Out of all the criminal actors involved in crypto currency, North Korea is the best at laundering crypto, Dr Robinson says.
“I imagine that they have a room full of people performing this task with automated tools and years of experience. We can also see from their activity that they only take a few hours break each day, possibly working in shifts to get the crypto turned into cash.”
Elliptic’s analysis tallies with ByBit, which says that 20% of the funds have now “gone dark”, meaning it is unlikely to ever be recovered.
The US and allies accuse the North Koreans of carrying out dozens of hacks in recent years to fund the regime’s military and nuclear development.
The criminals secretly altered the digital wallet address to which 401,000 Ethereum crypto coins were being sent on February 21 by hacking into one of ByBit’s suppliers. ByBit sent all of the money to the hackers when it thought it was moving the money to its own digital wallet.
Ben Zhou, CEO of ByBit, via Getty Images Through a bounty program, ByBit CEO Ben Zhou hopes to recover some of the stolen funds. Customers were reassured by ByBit CEO Ben Zhou that no money had been stolen. Zhou stated that the company is “waging war on Lazarus” despite having repaid the investors for the stolen coins. ByBit’s Lazarus Bounty program encourages the general public to locate the stolen funds and, if possible, freeze them. All crypto transactions are displayed on a public blockchain, so it’s possible to track the money as it’s moved around by the Lazarus Group.
If the hackers try to use a mainstream crypto service to attempt to turn the coins into normal money like dollars, the crypto coins can be frozen by the company if they think they are linked to crime.
Twenty individuals have received rewards totaling more than $4 million for successfully locating $40 million of the stolen funds and alerting cryptocurrency companies to block transfers. But experts are downbeat about the chances of the rest of the funds being recoverable, given the North Korean expertise in hacking and laundering the money.
According to Dr. Dorit Dor of the cyber security firm Check Point, “North Korea is a very closed system and closed economy, so they created a successful industry for hacking and laundering and they don’t care about the negative impression of cyber crime.” Another problem is that not all crypto companies are as willing to help as others.
Crypto exchange eXch is being accused by ByBit and others of not stopping the criminals cashing out.
This exchange has successfully channeled more than $90 million. However, Johann Roberts, the elusive owner of eXch, disputed that via email. He admits they didn’t initially stop the funds, as his company is in a long-running dispute with ByBit, and he says his team wasn’t sure the coins were definitely from the hack.
He says he is now co-operating, but argues that mainstream companies that identify crypto customers are betraying the private and anonymous benefits of crypto currency.
Park Jin Hyok of the FBI Park Jin Hyok is one of the alleged Lazarus Group hackers
Although North Korea is thought to be the only nation in the world using its hacking capabilities for financial gain, it has never acknowledged being behind the Lazarus Group.
The Lazarus Group used to target banks, but in the last five years, they have concentrated on targeting cryptocurrency businesses. There are fewer safeguards in place to prevent money from being laundered, making the sector less secure. Recent hacks linked to North Korea include:
The $41 million UpBit hack in 2019 The $275 million theft of cryptocurrency from KuCoin, where the majority of the funds were recovered The 2022 Ronin Bridge attack which saw hackers make off with $600m in crypto
In 2023, an attack on Atomic Wallet resulted in the theft of approximately $100 million in crypto. The Lazarus Group-accused North Koreans were added to the Cyber Most Wanted list by the United States in 2020. But the chances of the individuals ever being arrested are extremely slim unless they leave their country.
