North Korean hackers ‘took just two minutes' to pull off record $1.5bn heist

Yahoo

28-02-2025

North Korean hackers took just two minutes to make off with $1.5bn (£1.2bn) in cryptocurrency, cyber security researchers believe, in the single biggest heist in history.
Post-mortem reports commissioned by the cryptocurrency exchange Bybit, which last week saw hundreds of millions of dollars in the Ethereum cryptocurrency stolen by a Pyongyang-linked group, revealed details of how the hackers breached its systems.
The cyber attackers were able to compromise a so-called cold wallet used by Bybit, a Dubai-based cryptocurrency exchange. These hardware wallets, akin to an encrypted USB-stick, are supposed to be secure, as they are kept offline and away from the internet.
However, when the cryptocurrency exchange attempted to move funds from their hardware wallet into an online account, the attackers were able to strike within seconds.
Cyber security experts from Sygnia and Verichains said the hacked transaction was as a result of a breach in a technology called Safe Wallet, having pieced together the events from digital records.
Two days before the incident, North Korean hackers, believed to be part of the rogue state's notorious Lazarus Group, injected malicious code into the online infrastructure of Safe Wallet, which it would use to communicate with ByBit's account when it was activated.
Safe Global, the company behind the wallet, said the hackers had managed to 'compromise the machine of a Safe Wallet developer', blaming the hacking group's 'sophisticated social engineering attacks'.
The malicious code was specifically designed to crack Bybit's wallet. It was able to mimic the coded 'signature' of three accounts, including the chief executive of Bybit, when it activated.
When Bybit attempted to transfer its funds, at 2.15pm last Friday, the hackers swiftly drained its wallets of 400,000 Ethereum coins, using a backdoor function they had inserted.
According to Sygnia's report 'two minutes after the malicious transaction was executed and published', the hackers removed their code and escaped from the system before Bybit even realised the money was gone.
Having made off with the funds, the North Korean group has rapidly worked to launder the funds through a series of cryptocurrency exchanges.
The hack represents the most devastating attack yet by North Korea's cyber agents, who are under the command of the state's intelligence service and tasked with stealing funds from the West to finance the country's weapons of mass destruction.
It eclipses the $1.3bn stolen by North Korea over the whole of 2024.
The country's hackers have been blamed for a total of $6bn in cryptocurrency thefts over the last decade. It is larger than the biggest bank heist in history, when $1bn was stolen by Saddam Hussein from Iraq's central bank in 2003.
The Bybit hack has been blamed on Lazarus Group, a group linked to Kim Jong-un's intelligence agency, the Reconnaissance General Bureau.
The group is notorious for its carefully planned attacks, using a mix of social engineering, email phishing and technical brilliance to expose systems.
On Wednesday, the FBI formally blamed North Korea for the heist, labelling the hacking group behind with the codename TraderTraitor. The FBI said the hackers were 'proceeding rapidly and have converted some of the stolen assets to bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains'.
It called on exchanges to identify and block suspect transactions. While many digital coin transactions are anonymous, they can be tracked through its digital ledger technology, known as the blockchain, by security experts.
However, many exchanges have few know-your-customer or anti-fraud checks – or little incentive to comply with investigations in the unregulated space.
Meanwhile Ben Zhou, the chief executive of Bybit, said he had declared 'war against Lazarus', promising up to $140m as a reward for organisations that were able to capture or freeze stolen funds.
He added he would name and shame exchanges that failed to block known transactions from Lazarus Group. He said: 'We will not stop until Lazarus or bad actors in the industry is eliminated.'
Safe Global said it had 'fully rebuilt, reconfigured all infrastructure and rotated all credentials, ensuring the attack vector is fully eliminated'. It added: 'Safe remains committed to security, transparency, self-custody and pushing the industry forward.'
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.