North Korean hackers ‘took just two minutes' to pull off record $1.5bn heist
Post-mortem reports commissioned by the cryptocurrency exchange Bybit, which last week saw hundreds of millions of dollars in the Ethereum cryptocurrency stolen by a Pyongyang-linked group, revealed details of how the hackers breached its systems.
The cyber attackers were able to compromise a so-called cold wallet used by Bybit, a Dubai-based cryptocurrency exchange. These hardware wallets, akin to an encrypted USB-stick, are supposed to be secure, as they are kept offline and away from the internet.
However, when the cryptocurrency exchange attempted to move funds from their hardware wallet into an online account, the attackers were able to strike within seconds.
Cyber security experts from Sygnia and Verichains said the hacked transaction was as a result of a breach in a technology called Safe Wallet, having pieced together the events from digital records.
Two days before the incident, North Korean hackers, believed to be part of the rogue state's notorious Lazarus Group, injected malicious code into the online infrastructure of Safe Wallet, which it would use to communicate with ByBit's account when it was activated.
Safe Global, the company behind the wallet, said the hackers had managed to 'compromise the machine of a Safe Wallet developer', blaming the hacking group's 'sophisticated social engineering attacks'.
The malicious code was specifically designed to crack Bybit's wallet. It was able to mimic the coded 'signature' of three accounts, including the chief executive of Bybit, when it activated.
When Bybit attempted to transfer its funds, at 2.15pm last Friday, the hackers swiftly drained its wallets of 400,000 Ethereum coins, using a backdoor function they had inserted.
According to Sygnia's report 'two minutes after the malicious transaction was executed and published', the hackers removed their code and escaped from the system before Bybit even realised the money was gone.
Having made off with the funds, the North Korean group has rapidly worked to launder the funds through a series of cryptocurrency exchanges.
Biggest heist in history
The hack represents the most devastating attack yet by North Korea's cyber agents, who are under the command of the state's intelligence service and tasked with stealing funds from the West to finance the country's weapons of mass destruction.
It eclipses the $1.3bn stolen by North Korea over the whole of 2024.
The country's hackers have been blamed for a total of $6bn in cryptocurrency thefts over the last decade. It is larger than the biggest bank heist in history, when $1bn was stolen by Saddam Hussein from Iraq's central bank in 2003.
The Bybit hack has been blamed on Lazarus Group, a group linked to Kim Jong-un's intelligence agency, the Reconnaissance General Bureau.
The group is notorious for its carefully planned attacks, using a mix of social engineering, email phishing and technical brilliance to expose systems.
On Wednesday, the FBI formally blamed North Korea for the heist, labelling the hacking group behind with the codename TraderTraitor. The FBI said the hackers were 'proceeding rapidly and have converted some of the stolen assets to bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains'.
It called on exchanges to identify and block suspect transactions. While many digital coin transactions are anonymous, they can be tracked through its digital ledger technology, known as the blockchain, by security experts.
However, many exchanges have few know-your-customer or anti-fraud checks – or little incentive to comply with investigations in the unregulated space.
Meanwhile Ben Zhou, the chief executive of Bybit, said he had declared 'war against Lazarus', promising up to $140m as a reward for organisations that were able to capture or freeze stolen funds.
He added he would name and shame exchanges that failed to block known transactions from Lazarus Group. He said: 'We will not stop until Lazarus or bad actors in the industry is eliminated.'
Safe Global said it had 'fully rebuilt, reconfigured all infrastructure and rotated all credentials, ensuring the attack vector is fully eliminated'. It added: 'Safe remains committed to security, transparency, self-custody and pushing the industry forward.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Independent
39 minutes ago
- The Independent
Demands grow for sanctions over British man detained in Dubai for 17 years
The Foreign Secretary has faced urgent calls to sanction those responsible for the detention of a British man in Dubai for the past 17 years. MPs and peers have urged David Lammy to publicly call for the release of Ryan Cornelius, now 71, who was detained for 10 years in 2008 as part of a bank fraud case. The detention was then extended by 20 years in 2018. A group of 15 parliamentarians, led by Sir Iain Duncan Smith, said the case of Ryan Cornelius was a 'flagrant example of arbitrary detention and abuse of power'. A UN working group has found he is subject to arbitrary detention and last week the European Parliament passed a resolution condemning his detention in 'inhumane conditions' and calling for his 'immediate and unconditional release'. After the European Parliament resolution, Sir Iain and his colleagues asked Mr Lammy to 'immediately clarify the Government 's position on Mr Cornelius's case and confirm what steps you will now take to press for his release'. Specifically, they asked whether the Government would make 'strong representations to the UAE on his behalf', publicly call for his release and impose 'targeted' sanctions on those responsible for his detention. They said: 'The UK has a moral and legal duty to act, as well as a diplomatic responsibility to defend its citizens abroad from such mistreatment. 'We urge the Government to act with the utmost urgency to secure his release.' Sir Iain said it was 'vital' for the Government to take 'decisive action' to secure Mr Cornelius's release. Foreign Office minister Hamish Falconer has previously said the Government would 'continue to highlight their concerns' in talks with the UAE and was providing Mr Cornelius with consular assistance, while it took reports of human rights violations 'very seriously'. But the UK's response to his detention has been criticised by Mr Cornelius's wife Heather and brother-in-law Chris Pagett. They said: 'For more than 17 years, we have had nothing but defensive waffle from the British Foreign Office. 'The European Parliament has made a strong and direct call to the UAE for Ryan's release within months of our taking his case to them. 'The contrast is shameful. The British people deserve better.' It is understood that the Government is supporting Mr Cornelius's application for clemency, and the issue was raised by the Foreign Secretary during a trip to the UAE in December last year.
Rhyl Journal
2 hours ago
- Rhyl Journal
Ceasefire announced after dozens killed in Syrian sectarian clashes
Neighbouring Israel again launched strikes on Syrian military forces, saying it was protecting the Druze minority. The latest escalation under Syria's new leaders began with tit-for-tat kidnappings and attacks between local Sunni Bedouin tribes and Druze armed factions in the southern province, a centre of the Druze community. Syrian government forces, sent to restore order on Monday, also clashed with Druze armed groups. – A ceasefire announcement On Tuesday, Syrian defence minister Murhaf Abu Qasra said an agreement was struck with the city's 'notables and dignitaries' and that government forces would 'respond only to the sources of fire and deal with any targeting by outlaw groups'. However, scattered clashes continued after his announcement — as did allegations that security forces had committed violations against civilians. Syria's Interior Ministry said on Monday that more than 30 people had been killed, but has not updated the figures since. The Syrian Observatory for Human Rights, a UK-based war monitor, said on Tuesday that 166 people had been killed since Sunday, including five women and two children. Among them were 21 people killed in 'field executions' by government forces, including 12 men in a rest house in the city of Sweida, it said. It did not say how many of the dead were civilians and also cited reports of members of the security forces looting and setting homes on fire. Syrian interim president Ahmad al-Sharaa said in a statement that he had tasked authorities with 'taking immediate legal action against anyone proven to have committed a transgression or abuse, regardless of their rank or position'. Associated Press journalists in Sweida province saw forces at a government checkpoint searching cars and confiscating suspected stolen goods from both civilians and soldiers. – Israel's involvement draws pushback Israeli airstrikes targeted government forces' convoys heading into the provincial capital of Sweida and in other areas of southern Syria. Israeli Prime Minister Benjamin Netanyahu and defence minister Israel Katz said the strikes sought to 'prevent the Syrian regime from harming' the Druze religious minority 'and to ensure disarmament in the area adjacent to our borders with Syria'. In Israel, the Druze are seen as a loyal minority and often serve in the armed forces. Meanwhile, Israeli cabinet member and minister of diaspora affairs Amichai Chikli called on X for Mr al-Sharaa to be 'eliminated without delay'. – Suspicion over Syria's new government Israel has taken an aggressive stance toward Syria's new leaders since Mr al-Sharaa's Sunni Islamist insurgents ousted former president Bashar Assad in December, saying it does not want militants near its borders. Israeli forces have seized a UN-patrolled buffer zone on Syrian territory along the border with the Golan Heights and launched hundreds of airstrikes on military sites in Syria. Earlier on Tuesday, religious leaders of the Druze community in Syria called for armed factions that have been clashing with government forces to surrender their weapons and co-operate with authorities. One of the main Druze spiritual leaders later released a video statement retracting the call. Sheikh Hikmat Al-Hijri, who has been opposed to the government in Damascus, said in the video that the initial Druze leaders' statement had been issued after an agreement with the authorities in Damascus but that 'they broke the promise and continued the indiscriminate shelling of unarmed civilians'. 'We are being subjected to a total war of annihilation,' he claimed, without offering evidence. Some videos on social media showed armed fighters with Druze captives, beating them and, in some cases, forcibly shaving men's moustaches. – Sectarian and revenge attacks The Druze religious sect began as a 10th-century offshoot of Ismailism, a branch of Shiite Islam. More than half the roughly one million Druze worldwide live in Syria. Most of the other Druze live in Lebanon and Israel, including in the Golan Heights, which Israel captured from Syria in the 1967 Mideast War and annexed in 1981. Since Mr Assad's fall, clashes have broken out several times between forces loyal to the new Syrian government and Druze fighters. The latest fighting has raised fears of more sectarian violence. In March, an ambush on government forces by Assad loyalists in another part of Syria triggered days of sectarian and revenge attacks. Hundreds of civilians were killed, most of them members of Assad's minority Alawite sect. A commission was formed to investigate the attacks but no findings have been made public. The videos and reports of soldiers' violations spurred outrage and protests by Druze communities in neighbouring Lebanon, northern Israel and in the Israel-annexed Golan Heights, where the Israeli military said dozens of protesters had crossed the border into Syrian territory. The violence drew international concern. The US envoy to Syria, Tom Barrack, called the violence 'worrisome on all sides' in a post on. 'We are attempting to come to a peaceful, inclusive outcome for Druze, Bedouin tribes, the Syrian government and Israeli forces,' he said.
Business News Wales
3 hours ago
- Business News Wales
Record Number of Golfers Raise £14,000 for Popham Kidney Support
PKS – Golf Day 2025 – Winning Team, Dunvant RFC, with PKS Trustee, Kim Loosmore More than 200 golfers and 55 teams from across Wales, England and Scotland gathered at Clyne Golf Club for a charity tournament supporting children and families affected by kidney disease. The event was hosted by Swansea-based charity Popham Kidney Support, which provides practical, emotional and financial assistance to people across Wales living with kidney disease. This year's Golf Day raised in excess of £14,000 – the highest total to date – thanks to team entries, sponsorship, and funds raised during the evening's raffle and auction. Main event sponsor, The Construction Club, represented by Jamie Lannen and Geraint Hopkins, contributed £3,000 towards the total. Various businesses from far and wide came together to support the event, including Dawsons, Days Rental, Old Walls Collection, Frames & Sculpts, Chepstow Races, Mahle and GS Yuasa. Golf balls were donated to every team through a partnership between Locker Room and GS Yuasa, coordinated by former Welsh rugby international Tom Shanklin. The winning team on the day was Dunvant RFC with 97 points. Second place went to Shirgar Butter with 93, followed by St Mary's Square in third on 92 points, and Team Yuasa close behind in fourth with 90. Jamie Lannen and The Construction Club Cheque Presentation Golf Day 2025 Individual competition highlights included Ray Tilley of Tilleys Fine Jewellery & Watches winning Longest Drive, sponsored by David North Personal Training, while Sam Webborn won Nearest to the Pin with a hole-in-one. Joanne Popham, CEO of Popham Kidney Support, said: 'We're extremely grateful to all who contributed to the success of this year's event — from the sponsors and teams to those who took part in the raffle and auction. I'd also like to thank Kim Loosmore for his continued hard work and dedication in organising the day. The funds raised will directly support our work with children and families across Wales who are living with kidney disease.' Kim Loosmore, event organiser, added: 'It was fantastic to welcome a record number of teams this year. The continued support from players, sponsors and Clyne Golf Club ensures the event goes from strength to strength. As a committee member of the charity, I see first-hand the difference this support makes to the lives of people living with kidney disease and it's incredibly rewarding to know that this event helps us reach even more people each year.'
