How North Korea Pulled Off the Biggest Heist in History

Just after 2pm last Friday, a notorious group of hackers – responsible for some of the worst cybercrimes of the 21st century – pulled off what may well be their magnum opus. In the space of just a few minutes, approximately $1.46bn (£1.16bn) worth of digital currency was stolen from Bybit, one of the world's most popular crypto exchanges, and funnelled across the internet to anonymous wallets. It marked the biggest heist in history.

For comparison, the amount stolen was nearly 30 times greater than the £53m taken during the 2006 Securitas depot robbery in Tonbridge, the UK's largest ever cash heist. It was also nearly $500m larger than the amount Saddam Hussein stole from the Iraqi Central Bank on the eve of the 2003 Iraq war in an act that is commonly listed as the largest theft of all time.

Details of the operation are still emerging, but what is unique to crypto exchange breaches is that funds can be tracked in real time over the blockchain. Serving as an online ledger, blockchain technology provides for the transparency of every transaction and movement of funds between wallet addresses, even if the owner of an individual wallet is unknown.

This has allowed investigators to follow the stolen assets in real time as the hackers attempt to launder them through various wallets and exchanges, with the pattern closely mirroring a technique used by one of the world's most sophisticated hacking operations: the Lazarus Group. Allegedly backed by North Korea since its inception in 2009, the group has previously caused worldwide chaos through the 2017 WannaCry ransomware attacks, which infected 200,000 computers across 150 countries, including the system used by the NHS.

The Lazarus Group has also carried out numerous cryptocurrency attacks in the past, though Friday's haul represents the largest strike to date, with the hackers making away with the equivalent of North Korea's annual defence budget ($1.47bn in 2023).

Crypto investigation firm Chainalysis noted that the Bybit hack followed a common playbook used by Lazarus, which involves a social engineering attack to initially compromise the funds. It occurred during a routine transfer from Bybit's Ethereum cold wallet – an offline crypto storage device – to its online hot wallet.

By targeting those responsible for verifying the wallet addresses with personalised phishing attacks, the hackers tricked them into signing off the transactions to wallets owned by Lazarus. "A security system is only as strong as its weakest link," Shahar Madar, vice-president of security and trust at blockchain platform Fireblocks, told The Independent.

"In Bybit's case, there was a security loophole when Ledger [a hardware wallet] and Safe[Wallet] [a digital wallet app] were used together. Hackers likely used malware to secretly modify what users saw on the Safe[Wallet] interface. Users thought they were approving a normal transaction, when in reality they were approving a different, manipulated one."

Within two hours of the Bybit theft, researchers from blockchain analytics firm Elliptic observed stolen funds being sent to 50 different wallets, each holding approximately 10,000 ETH (Ethereum). These wallets were then systematically emptied through decentralised exchanges in a laundering process known as "money laundering".