The award for the world’s biggest crypto heist goes to North Korea
14:46 Share

This is the kind of announcement that every CEO would dread. About two hours ago, Bybit experienced a hack. As far as we know, this could be the largest hack in the history of our industry. 1.5 billion US dollars gone in just a few seconds. Almost immediately, fingers were pointed at one of the most notorious cybercrime gangs out there, the Lazarus Group.

That was two weeks ago. Fast forward to now, they've managed to cash out at least $300 million of it. Now, the Lazarus Group is widely believed to be linked to North Korea, with accusations that their stolen crypto helps fund the country's weapons program. So how do they pull it off? And more importantly, will they get away with it? I'm Hannah Gelbart, and this is What in the World from the BBC World Service.

Here to tell us more is the BBC's cyber correspondent, Joe Tidy, who is an expert on the Lazarus Group. Welcome back to the podcast. Thank you. To start off with, tell me about this hack. What exactly did it involve? It involved a lot of planning, a lot of resource and a lot of skill. These guys, the Lazarus Group, North Korean hacking team, are some of the best in the world and they're

They spent a long time, possibly, we don't know how long, I imagine months, doing reconnaissance and trying to find the right people to attack. They wanted to go after Bybit, this giant cryptocurrency exchange and trading platform has about 65 million users around the world. And this is the type of service that allows you to turn your pounds and dollars and rupees into Ethereum or Bitcoin or Doge, whatever you want to do.

And they have, like all cryptocurrency exchanges, a what you call a hot wallet, which

which is a digital wallet full of cryptocurrency that's being sold and swapped and sent out to people all the time, every second, loads of transactions. Then they have a cold wallet. And when the hot wallet goes down, just like a normal kind of float in a shop, for example, or an ATM, you've got a giant safe, which is the cold wallet where you get the money from. And those cold wallets are super safe.

Offline, the hackers can't really get at them. So the hackers had to figure out a way to get at the cold wallet. And they hacked a company called SafeWallet, which is the company that Bybit uses to transfer funds from their cold wallet to their hot wallet. And they hacked into the computer of someone who works at SafeWallet. And they did this incredible thing.

We've got to be careful here, of course, we can't admire them too much, but it is impressive. They managed to find a way to change what Bybit saw on its screen so that when Bybit said, right, let's send $1.5 billion worth of Ethereum coins from our cold to our hot wallet, it looks like everything's normal, everything's fine, let's press send. And instead of sending all that cryptocurrency to the hot wallet, they sent it directly to the hackers.

That is a very impressive fee and they stole a whopping $1.5 billion. Now they've cashed out $300 million of those dollars to unrecoverable funds. How does it work to convert crypto into usable money?

Well, it's really hard because cryptocurrency is what you call pseudonymous. So you can track it all over the blockchain. Whenever anyone makes a transaction, let's say I wanted to send you an Ethereum coin, you can see my wallet, which is a random jumble of numbers and letters, has sent an Ethereum coin to your wallet, which is another random jumble of numbers and letters.

So every time any transaction is made, you can see that on the blockchain. So you can track exactly where the money's going. So it's quite hard for hackers to actually make off with the money because what happens is those funds get blacklisted so that whenever a legitimate company comes across them,

and has any control over them. So for example, another exchange, they can freeze them. So the hackers have got a really difficult position of, in some ways it's good, there's nothing anyone can do to take the money away from them, but also they have to find a way to launder it and mix it up and make it look like it hasn't come from the hack

in order for them to turn it into cash. Because of course, cryptocurrencies are well and good, sitting on that absolute fortune is great. But you can't buy things with Ethereum or Bitcoin, really. You need to turn it into cold, hard cash and use that for the regime. And of course, the allegation all along with North Korea is that the regime is using this hacked money, because of course, they've done it a lot lately, to fund their missile programs.

North Korea, of course, has not said that it's behind the Lazarus Group and does not admit to using money from hacks for weapons. But while we're on the blockchain, I want to ask you something, because if every transaction is traceable, couldn't people just watch the money in real time moving around the internet and stop these hackers from getting away with cashing it out? Yeah, that's exactly what they're trying to do right now, because...

As I say, every transaction is recorded. You can see it. And I went to a place called Elliptic last week, which are a cryptocurrency investigating company. And they have these giant graphs and webs showing how the 1.46 billion was split up into 10,000 different cryptocurrency wallets and then sent to various different places. So you've got this crazy complex web and system there.

But it's all visible at the moment. And what's the issue right now, of course, is that when the funds go dark is the term, like when it goes dark, that means that those funds are gone, unrecoverable, very, very likely that money is cashed out. And so far, they've managed to do about $300 million. Does that mean that

the rest of the money is still recoverable if it hasn't gone dark yet? Well, that's what people would hope, but actually probably not. The expert I was talking to, Dr. Tom Robinson from Elliptic, he said that history tells us that the North Koreans, Lazarus Group, are just so good at laundering the funds, they will get almost all of it out. I think...

They've managed to stop about 45 million so far from being cashed out. Can you paint a picture of how the Lazarus Group hackers work and how they've got to be so good at what they do? Yeah, well, every single country has hacking capabilities, but it's just that...

North Korea is the only one that seems to use it for financial gain. Normally, of course, hacking teams from wherever, UK, India, Russia, China, they will hack for espionage purposes or for power. But North Korea have, for the last sort of five or six years, really pushed quite heavily into making money for the regime. Because, of course, North Korea is a poor country, made worse, of course,

by international sanctions against it and the fact that people don't do business with North Korea. So this was very clearly an area that they thought they could sort of turn into an industry. And we have seen that. There have been five or six absolutely enormous hacks of hundreds of millions of dollars worth of cryptocurrency from various companies over the last three or four years. And each time they have basically made off with that money. We know they have got a lot of people. They've got a large group

hacking team that's based in Pyongyang but also in China as well

That is the allegation, of course. And we know that they take children who are good at maths and they put them into programs to try and develop their programming and hacking skills from a young age. And that this is a sort of patriotic job for many people. This is sort of nine to five, very militarily run type project and program that they run. Have there other hacks been on crypto exchanges like Bybit, the company that was hacked? It was a crypto exchange.

So Lazarus, they sort of rightly realized a few years ago that cryptocurrency industry is full of vulnerabilities and holes. It's a very young industry, but also it's a kind of like sort of very tech bro-y, you know, move fast, break things, that kind of mentality.

And there's just huge volumes of money floating around as well. And unlike traditional finance, if you can swipe cryptocurrency from a company, then you can do lots and lots of things to hide your tracks and launder the money much, much easier, of course, than if you were to try and do it with a traditional bank.

The cryptocurrency has been hit big time by the Lazarus Group. Before this, the biggest one, the sort of heist record was $622 million worth of cryptocurrency from a company called, well, it was a Ronan Bridge Poly Network. And that was in 2022. Before that, we had one attack at KuCoin. And there's plenty of others as well. We're talking huge sums of money which have been swiped from crypto companies.

And it's not just the Lazarus Group who love a crypto heist. Other infamous hacks include Heather Morgan, aka Razzle Can. She is not just a convicted crypto criminal. She's also an aspiring rapper. She and her husband have been dubbed the Bitcoin Bonnie and Clyde, and they were arrested in 2022 for laundering billions of dollars in Bitcoin. Here's how it went down.

Her husband orchestrated this huge hack, stealing Bitcoin that was worth around $71 million at the time. But because of Bitcoin's changing value, when they got caught, it was worth a mind-blowing $4.5 billion. That made it the biggest financial seizure in the U.S. Department of Justice's history. And just days before she went to prison in January this year, she dropped her latest track.

Wait for it. One of the lyrics is a plea for Elon Musk to save her. She goes, Now, my rapping isn't much to stand by, but those are her words. Her husband, Elia Lichtenstein, was also sentenced to prison. He was given five years and she was given 18 months.

And I'm going to take you back even further to one of the earliest major hacks. Back in 2014, a Tokyo-based exchange called Mt. Gox suffered a massive breach. Hackers had drained nearly $500 million from it between 2011 and 2014. And when the scale of the hack was revealed, Mt. Gox filed for bankruptcy and 24,000 customers lost their investments.

But Joe, back to you. No amount has been as big as this latest hack, $1.5 billion. And that's been stolen from Bybit. What have they said about it? Well, they admitted straight away that it's happened quite unusually. And to be applauded, I suppose, the CEO, Ben Zhao, he went on Twitter Spaces and did a live stream that lasted, I think it was an hour and 45 minutes or something, answering questions from customers who were obviously very concerned. Exactly.

Ben Zhao said very early that this isn't going to be customer money. We have seen in the past when crypto exchanges have gone down, they've taken customers money with them. But Ben Zhao said your money is safe, your funds are safe and we have enough reserves to cover this. Quite remarkably, they've also within 72 hours, they've gone out and they've managed to get enough funding to rebuy all the Ethereum that they lost.

What have they said about the Lazarus Group? They must be fuming. Absolutely. Yeah. So the CEO, he's launched a website called Lazarus Bounty. He said, we are waging war on Lazarus because the way he sees it and the way the company sees it is that this is an industry wide problem. This isn't just Bybit that's been hacked. You know, as I mentioned, there's been loads of attacks on other cryptocurrency companies. So the idea of the Lazarus Bounty is that

Wherever anyone is able to see the funds and track them being moved around the blockchain, if they hit a mainstream crypto company, so an exchange, for example, or a bridge, so a bridge can switch different cryptocurrencies into different ones. If they can warn the company that runs that service, oh, please stop these funds that we think they're from the Bybit hack, if that happens.

then Bybit is giving money to the volunteers for helping. And so far, $4.3 million has been awarded to about 20 different volunteers. We never say anything like it. It's a really good idea. I think a lot of the people in the cryptocurrency industry are

applauding Bybit for this kind of like vengeful act, which is actually going to help, hopefully going to help in the future, because Bybit has said they want to leave this website running for future, you know, hacks against cryptocurrencies by Lazarus. And what about Lazarus? Will they get their comeuppance?

Ah well, the age-old question. No, probably not. Very, very highly likely not because of course these are hackers who are in a country that doesn't cooperate with international law enforcement requests. North Korea is not exactly going to hand over some of the people who are accused of being part of Lazarus. The amazing thing is of course that the FBI and others around the world have for years now accused North Korea and Lazarus of

of doing these attacks. And it's got to the point where there are, if you go on the FBI's cyber most wanted list, there are three people on there who have got names and pictures and addresses and aliases that the authorities say are part of Lazarus. And they are wanted and they are, you know, accused of carrying out these massive, massive hacks. But unless they leave the country, there's nothing anyone can do. See,

Seems like they are untouchable with their unrecoverable funds and much, much richer for it at the moment. Yeah, I think this is the amazing thing about not only hacking, but also cryptocurrency is that when you do it right, and I'm very careful here, you know, we can't say they've done it right and we can't be too complimentary. But when you pull off a heist like this, it's almost the perfect crime in a sense, because these people won't be caught.

And as long as they can get the money out and turn it into usable cash, it's an absolute win for them. And I'm sure there are champagne corks popping in Pyongyang. Joe, thank you so much for coming on the podcast. Thanks for having me. If all this crypto talk has left you wanting more, we have done episodes breaking it all down in simple terms. We've got one called What's the Point of Meme Coins? Another called Cryptocurrency Explained. You can find them wherever you get your BBC podcasts. And if you're into cyber heists...

Make sure you check out the Lazarus Heist podcast series. It's from our colleagues at the BBC World Service. And it dives into some of the biggest hacks in history, all by this same group. Like, you might remember the Sony attack back in 2014 that shook up Hollywood and the 2016 Bangladesh bank robbery. North Korea, of course, denies having anything to do with these ones either.

That is it for today. You've been listening to What In The World from the BBC World Service with me, Hannah Gelbott. We'll see you next time. Bye.