After years going after decentralized crypto projects with low security barriers, North Korean hackers are stepping up attacks
The impact on the industry and the nascent regulations governing it are far-reaching, according to interviews with more than a dozen executives and security experts. Staving off North Korean thefts will likely require much higher spending by crypto exchanges, more stringent regulations and increased coordination between governments, they said.
Bybit, one of the biggest crypto exchanges, was forced to borrow from other platforms and use its own treasury funds to replace the roughly 515,000 tokens, mostly Ether but also derivatives of the coin, that were stolen. Its efforts to restore calm didn’t stop clients from withdrawing about US$4 billion from the platform within two days of the attack, according to DefiLlama.
“Bybit has successfully restored 77 per cent of its Assets Under Management (AUM) to pre-incident levels,” the company said Thursday.
Western governments have accused the North Korean state of fostering a number of hacking groups, with the economically isolated country allegedly having used cyber crime to bring in money to fund weapons programs. The hackers known as Lazarus Group, one of the most formidable groups, dates back as far as 2007 and is controlled by the cyber operations arm of one of the country’s primary intelligence agencies, the Reconnaissance General Bureau, according to United States officials.
Crypto thefts by North Korea-linked hackers more than doubled last year to US$1.34 billion, accounting for about 60 per cent of the total, according to researcher Chainalysis. The Bybit hack means exploits attributed to the regime have already surpassed that amount in 2025.
“This attack shows that even serious and diligent teams — which Bybit surely is — face extremely demanding environments; the predators are literally, not figuratively, nation-state actors,” Mitchell Amador, chief executive of crypto security firm Immunefi, said in an email. “They have infinite time, patience, and resources, and they only need to win once.”
Bybit chief operating officer Helen Liu had just sat down for dinner with her parents in Dubai, where the exchange is based, when chief executive Ben Zhou called to tell her about the hack. She left for the office and worked through the night, at one point juggling three different calls at the same time.
“I slept a bit after coming back home,” she said in an interview. “But our CEO, our wallet engineers, the team tracking the money, they didn’t sleep for two or three days.”
The tokens taken from Bybit were held in a multi-signature cold wallet, meaning three people with authorizations, including Zhou, were required to sign off on moving any funds. Multi-signature cold wallets have long been considered safe and are widely used among crypto exchanges, researchers said.
While accounts of precisely how the attack unfolded vary somewhat, the hackers appear to have begun by targeting the computer of an employee at Safe Wallet, Bybit’s crypto wallet provider. The company didn’t respond to requests for comment.
“What the hackers did was a form of ambush,” said Shahar Madar, vice president of security and trust at custody solutions provider Fireblocks. “It was piggybacking on an existing flow.”
Social Engineering Hacks
To some extent, the perceived safety of multi-signature wallets could have imbued the signers with a false sense of security, according to Dan Hughes, who founded the Radix blockchain.
North Korean hackers have gotten particularly adept at exploiting that vulnerability through so-called social engineering attacks on the sector, the FBI said in a September notice. In the Bybit heist, the signers were presented with false information the malicious code had inserted, making them believe they were approving a legitimate transaction.
“I’m really coming up blank on how exchanges are going to properly be able to defend against this and make sure that the tool chains that are used and the people who are on the multi-sigs aren’t compromised socially or physically,” Hughes said.
The hack puts the spotlight on a potentially existential issue for an industry that scored a huge win when Donald Trump returned to the White House in January and put crypto advocates in key positions. The Securities and Exchange Commission, which embarked on a years-long crackdown under former Chair Gary Gensler, has closed down investigations into several crypto outfits in past weeks.
Targeting Crypto’s Core
After years of going after mostly decentralized crypto projects with lower security barriers, North Korean hackers have begun stepping up attacks on centralized exchanges, striking Japan’s DMM Bitcoin and India’s WazirX in 2024. WazirX, at one point India’s biggest crypto exchange, filed for restructuring after the hack.
Centralized exchanges sit at the heart of the crypto ecosystem and often handle hundreds of billions of dollars of trading volume a day in total. The impact of a major hack like the one on Bybit can reverberate far beyond just the exchange and its customers. Ether, Bitcoin and other cryptocurrencies slumped on news of the hack, as did shares of Coinbase Inc., the biggest listed exchange.
Faced with increasingly sophisticated nation-state hackers, crypto exchanges must ramp up security spending and also work more closely with governments to track and recover funds before criminals move them out of reach, said Ang of TRM Labs. Regulators are likely to rethink their rules for how exchanges handle customer assets, she said.
The speed and skill with which the hackers moved once they were inside added to the unease. The assets were siphoned off the Bybit wallet within seconds of the transaction being approved, and then laundered by using decentralized exchanges and so-called cross-chain bridges to convert them into other cryptocurrencies.
Bybit says about US$43 million of the stolen crypto has been recovered, or three per cent of the total. It has launched a bounty-hunter website, offering rewards for those who manage to trace and freeze stolen tokens. In a statement on Wednesday, the FBI circulated a list of blockchain addresses linked to the hackers and encouraged entities throughout the cryptosphere to block transactions related to them.
“The sheer scale and speed of this laundering operation show that crypto security is not keeping pace with attackers,” Ang said. “This attack was a stress test for the industry, and it barely passed.”
—With assistance from Sidhartha Shukla.