How North Korea Pulled Off the $1.5B Bybit Hack—Crypto’s Biggest Heist

Last week, news outlets worldwide reported that North Korea orchestrated the theft of $1.5 billion in digital tokens from cryptocurrency exchange firm Bybit.

However, this isn’t just another crypto hack. The cyberattack is considered the biggest crypto heist ever. The situation adds to the growing list of serious concerns about the security of digital assets and the increasingly sophisticated tactics of state-sponsored cybercriminals.

How did North Korea pull this off?

According to reports, the North Korean hackers are believed to be part of the notorious Lazarus group, making this the third attack attributed to them in six months and bringing their grand total of stolen crypto to $3 billion. Lazarus employed a series of highly advanced techniques with several key components.

But how did this massive breach unfold?

Phase one: phishing

First, it is suspected that the malicious actors likely conducted targeted phishing campaigns, known as spear phishing, against key personnel. This allowed the cybercriminals to steal sensitive information and access Bybit’s user interface and cold wallet signers.

For those unfamiliar with cold and hot wallets:

• A hot wallet is like an online bank or storage, where your assets are protected but easily accessible due to the connection to the internet — which also makes it accessible to online thieves.
• A cold wallet is like a safe in your house. Cold wallets are usually safer since they’re offline and out of sight of anyone looking to steal.

Wallet signers are components used to sign off and execute cryptocurrency transactions and transfers. So how was Lazarus able to steal from a secure offline location?

Phase two: ‘signed’ transactions

Lazarus created a malicious transaction that transferred the crypto from Bybit’s Ethereum cold wallet to a hot wallet by phishing the users to gain access to Bybit’s interface and having control of the private keys and signers. And because they could authorize the transaction with the signer, it looked like a legitimate transaction.

In true heist fashion, during the transfer from the cold wallet to the hot wallet, the attackers were able to intercept the crypto during the process. They then rerouted approximately 401,000 Ethereum coins — valued around $1.46 billion then — to a wallet under their control.

Phase three: move the money

The stolen coins were then moved through different wallets, a common technique crypto thieves use to hide from crypto and blockchain analysts looking to investigate. They also swapped some of the stolen Ethereum for Bitcoin and Dai, utilizing decentralized exchanges to stay under the radar while laundering the tokens.

Phase four: lay low

Lastly, the thieves hold on to many of the stolen coins. It’s likely in hopes of waiting out all the attention this is getting before continuing to launder the rest.

Make no mistake: This attack was well thought out and executed, as any mistake made by Lazarus would have set off alarms and blow the whole operation. This also highlights the evolution of tactics and techniques used by state-sponsored attackers to break into something that is supposed to be highly secure and locked down.

Bybit’s response to the attack

How did Bybit detect this unauthorized activity?

Ben Zhou, Bybit’s co-founder and CEO, announced: “When we saw the transaction, it was business as usual. I was the last signer on this transaction. When this transaction came, it was a normal URL.”

However, he also admitted that he hadn’t thoroughly checked the destination address obscured by code before clicking the link. He said, “After I signed it, 30 minutes later, we got the emergency call that our cold Ethereum wallet was drained!”

Zhou reassured customers that all other cold wallets are secure in a separate social media post. He wrote. “All withdrawals are NORMAL.”

Since announcing the attack, Bybit has been alerted and is cooperating with authorities. The company launched its own investigations and audits. It began collaborating with blockchain analysis professionals like Cryptanalysis, who have already been able to locate and freeze over $40 million from Bybit.

Zhou has also posted that Bybit has secured loans, deposits, and Ethereum purchases to close the gap, bringing Bybit back to 100% and regaining some public trust. This is no small task considering the Lazarus drained 70% of their assets and the 6.1 billion dollars in asset sell-offs as clients panicked after getting news of the attack.

What businesses should take away from this situation

This incident highlights the ongoing threat posed by North Korean hackers. They’re known for their sophisticated attacks and focus on stealing cryptocurrency to fund the regime’s activities.

This also is a stark reminder that no matter how secure you think you are, all the security controls mean nothing if you can trick the right person. Sadly, people will always be the weakest link. As a result, Bybit’s situation underscores the need for more robust security awareness training.

Want to learn how to protect your business from cyber threats? TechRepublic consolidated expert advice on how companies can defend themselves against the most common cyber threats, including zero-days, ransomware, and deepfakes.