Cryptocurrency experts are expressing serious concerns after North Korean hackers from the Lazarus Group successfully stole approximately $1.5 billion from the Bybit crypto exchange last week. This marks the largest cryptocurrency heist yet, and the hackers managed to breach a security mechanism that was considered to be among the most secure.
The attack has triggered drops in the prices of Bitcoin, Ether, and other cryptocurrencies, as well as in the stock prices of companies like Coinbase Inc. Lazarus Group is believed by the US FBI to be backed by Kim Jong-Un’s regime in North Korea. The hackers targeted a “cold” crypto storage wallet, which is usually isolated from online networks to protect the private keys needed to access funds.
According to reports, the hackers exploited a vulnerability in multi-signature wallets, which many crypto exchanges use. These wallets require multiple authorizations from different people for transactions. During the Bybit attack, the hackers compromised the computer of an employee at Safe Wallet, Bybit’s crypto wallet provider. They then tricked the signers by presenting false information via a malicious code, making the automated systems approve the illegitimate transaction.
Shahar Madar, vice president of security and trust at Fireblocks, described the attack to Bloomberg as a form of ambush, where the hackers “piggybacked on an existing flow.” Analysts have also expressed alarm at the speed with which the hackers moved and laundered the stolen funds, using decentralized exchanges to convert the crypto into other forms.
Dan Hughes, founder of Radix blockchain, noted that multi-signature wallets had given signers a false sense of security. He questions how exchanges will be able to adequately defend against this.
Bybit Chief Operating Officer Helen Liu was alerted to the hack while preparing to have dinner. The company’s engineers worked tirelessly for several days as they tried to contain the outflow of funds.
Bybit took several steps to mitigate the damage, including using its own funds to replace approximately 515,000 stolen tokens, as well as borrowing from other platforms. The company has claimed to have restored 77% of its Assets Under Management (AUM) to pre-incident levels. According to DefiLlama, Bybit’s clients withdrew almost $4 billion in the first two days following the attack. The exchange was able to recover just $43 million, representing only 3% of the total stolen assets.
Last year, crypto thefts linked to North Korean hackers doubled, reaching $1.34 billion. Chainalysis research indicates that this sum accounted for about 60% of the total value of global crypto attacks. This latest hack on Bybit has already surpassed their previous record.
The US government believes that the Lazarus Group is controlled by North Korea’s Reconnaissance General Bureau, one of its main intelligence agencies. Authorities believe that the funds stolen from such attacks are used to fund the Kim Jong-Un regime’s nuclear weapons program.
Analysts emphasize that guarding against state-sponsored attacks will demand greater investments in cybersecurity, stricter regulations, and improved coordination between governments. This group is also believed to have attacked DMM Bitcoin in Japan and WazirX in India in 2024. WazirX was forced to restructure after the attack.
