Anton is a crypto journalist with over five years of experience in the industry. For four years, he served as an editor at ForkLog, the largest Russian-speaking Bitcoin magazine. Anton combines his deep understanding of crypto markets with hands-on investment experience, offering sharp insights on expert forecasts, NFT trends, and Web3 innovations. His clear and engaging analysis makes complex topics accessible, empowering readers to make informed decisions in the evolving crypto landscape.
Key Notes
- North Korean hackers used sophisticated "masked" transactions and a fake interface to trick Bybit's security team into approving the theft.
- The Lazarus Group operates with state support and has members working internationally, targeting major institutions since 2009.
- Through numerous high-profile attacks including Sony Pictures, WannaCry ransomware, and multiple crypto platforms, the group has stolen over $7 billion, potentially funding North Korea's weapons programs.
On February 21, Bybit’s Ethereum cold wallet was hacked, resulting in the theft of $1.46 billion. The attack ranks among the largest crypto heists in history. Hackers used a “masked” transaction method and a fake Safe wallet interface to trick Bybit’s security team into approving malicious transactions.
The attack was linked to the Lazarus Group, later confirmed by the FBI. In response, Bybit’s co-founder and CEO Ben Zhou declared a “war” against the North Korean hackers.
Who is the Lazarus Group?
Lazarus Group is the name given to a North Korean state-sponsored hacking collective that emerged around 2009. Also known as Hidden Cobra, ZINC, Diamond Sleet, or Guardians of Peace, its size and structure remain unknown.
According to US law enforcement, the group is led by Park Jin Hyok, a North Korean national who previously worked in software development in China before returning to North Korea in 2011. The FBI describes him as part of a conspiracy responsible for some of the most damaging cyber intrusions in history.
“Park Jin Hyok is allegedly a state-sponsored North Korean computer programmer who is part of an alleged criminal conspiracy responsible for some of the costliest computer intrusions in history. These intrusions caused damage to computer systems of, and stole currency and virtual currency from, numerous victims.”
The first confirmed attacks by the Lazarus Group date back to 2009, initially targeting South Korean government resources. Over the years, their operations have expanded worldwide.
State Ties and International Reach
It is widely accepted that the Lazarus Group operates under the control of the North Korean government. In a country where only a select few have access to the open internet—while the majority are confined to a censored, state-controlled network—such large-scale cyber operations would be impossible without state approval.
However, NCC Group researchers believe that many North Korean hackers operate from outside North Korea. The FBI has identified group members located in China and other countries.
Early High-Profile Attacks
Sony Pictures Hack (2014): The Lazarus Group shut down Sony Pictures Entertainment, displaying death threats on employee screens. Hackers also leaked personal data of 7,000 employees. The attack was widely believed to be retaliation for the release of The Interview, a satirical film depicting an assassination attempt on Kim Jong-un. Sony ultimately canceled the movie’s release.
Bangladesh Central Bank Heist (2016): Using the SWIFT network, hackers stole $81 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York.
WannaCry Ransomware (2017): The group infected over 300,000 computers worldwide, demanding a $300 bitcoin ransom from victims, including hospitals in Europe, Renault, and Nissan.
Crypto Heists: Billions Stolen
Lazarus Group has been deeply involved in crypto theft since at least 2017, targeting centralized exchanges, DeFi platforms, and bridges.
- 2017-2018: Stole $882 million from 14 cryptocurrency exchanges.
- 2022: Hacked the Ronin sidechain, stealing $620 million from Axie Infinity players.
- 2022: Attacked Harmony’s Horizon Bridge and Atomic Wallet, taking $200 million.
- 2017-2022: Estimated total crypto theft: $3 billion.
- 2023: Stole at least $600 million, according to TRM Labs.
- 2024: Stolen crypto reached $1.34 billion, reported Chainalysis.
- 2025: At least $1.46 billion from Bybit hacking.
Where Does the Money Go?
The United Nations has previously reported that North Korea uses stolen crypto to finance its nuclear and missile programs, though direct evidence remains scarce.
Regardless of its end use, Lazarus Group’s actions damage the reputation of the entire crypto industry. The Bybit hack is yet another reminder that even major exchanges with advanced security infrastructure remain vulnerable to state-backed cybercriminals.
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
