The Global Story: How North Korean hackers launched history's biggest heist

Hello, this is the Global News Podcast from the BBC World Service. I'm Valerie Sanderson with

your weekly bonus from The Global Story, which brings you a single story with depth and insight

from the BBC's best journalists. There's a new episode every weekday.
Just search for The Global

Story wherever you get your pods and be sure to subscribe so you don't miss a single episode.

Here's my colleague, Lucy Hawkins. It is likely the biggest heist in history.
When the cryptocurrency trading platform Bybit was targeted last month, hackers managed to steal almost $1.5 billion in just two minutes. And as a race against time began to stop the culprits cashing out, it didn't take long for fingers to point in one direction, North Korea.
The secretive country has long faced allegations of state-sponsored hacking via the elite Lazarus Group to prop up its ailing economy.

But analysts suggest its malicious activity is on the rise.

So after this latest mega-theft, how are intelligence agencies fighting back?

And are we more vulnerable to hackers than ever before?

With me today is the BBC cyber correspondent Joe Tidy.

Hi, Joe.

Hi.

Talk to you. hackers than ever before.
With me today is the BBC cyber correspondent, Joe Tidy. Hi, Joe.
Hi. Talk us through what happened.
Well, it all happened on Friday night, which is normally when the hackers strike because people are sort of let their guard down. And what it is, is this company called Bybit is a cryptocurrency exchange.
Binance, a really famous coin base, they're kind of the biggest in the world. But Bybit is also very big, about 60 million customers.
And what you do with this app is that you exchange your pounds, dollars, rupees, whatever, for Bitcoin, Ethereum, any cryptocurrencies, obviously thousands of them. And like any kind of shop or bank or business, there is a float, which Bybit has what they call a hot wallet, which is where all the money is that's coming in and going out, coming in and going out all the time.
Every second money's coming in and going out. And when that float goes down, they need to get more money in.
And they've got something called a cold wallet. Just imagine a giant safe in a bank.
You've got the ATMs running cash all day, but you need to go and get more money out of the safe. So the cold wallets are offline.
They are safe from hackers. They often store a heck of a lot of cryptocurrency.
And they need to find a way, of course, to transfer that cryptocurrency from the cold wallets to the hot wallets. Bybit says this happens maybe every two or three weeks it's quite a regular thing but the hackers decided that they would exploit the transfer mechanism

that they used to get from the cold to the hot. And they hacked into the employee of a company called SafeWallet, which does those transfers.
When Bybit pressed send on their computers, everything looked normal. So they pressed send on $1.46 billion worth of Ethereum.
And it didn't go to the Bybit hot wallet. It went to the hackers.
Cryptocurrency exchange, Bybit, disclosing on Friday that it was hacked in what could be the largest crypto heist ever. So safe wallet was not so safe.
Indeed. These are the headlines we're reading now.
Have we seen anything, Joe, on this kind of scale before? No. This is the biggest crypto theft in history.
There have been some absolutely enormous ones before this, but the most recent record breaker was a couple of years ago, which was called the Ronin Network. More trouble in crypto.
A massive security breach affecting popular NFT game Axie Infinity and the Ronin Network. Hackers stole more than $600 million, making it one of the largest hacks in the history of decentralized finance.
So this, you know, this is absolutely dwarfing that. And we think, we don't know for sure, but we think this is the biggest ever theft in history, full stop.
So that's not just crypto, and crypto does go missing quite a lot in large chunks, but there's been no single heist this big. And Bybit, I mean, what a moment for them realising what's happened, given it initially looked like an absolutely normal transaction.
How did they then respond? Yeah, Bybit, obviously absolutely stunned by this, because it wasn't just that there was one person verifying the transaction from the cold wallet to the hot wallet. But there was what they call multi-sig.
So there were lots of people involved in this from the company, including the CEO, Ben Zhao. And they looked at it and they said, yeah, that all looks good.
We'll all sign that. Bish, bash, bosh.
Oh dear, where has it gone? Half an hour after the transaction, the CEO said he got a phone call from his security guy and he knew something was wrong instantly. He said, have we been hacked? He said, yes.
And they thought initially that it was about 30,000 Bitcoin, which is a lot of money, millions and millions. But he said, no, Ben, I'm sorry, this is much more serious.
This is the entire cold wallet drained, 401,000 Ethereum coins, $1.46 billion. So then, of course, to Bybit's credit, there was this crisis situation.
Is this going to cost the company? Is this going to cost customers? We've seen in the past when hacks have happened, people have lost money, individual users of that service. But Bybit, to its credit, managed to keep the communication channels open.
Hello, everyone. So thank you for tuning in.
Very unusually, the CEO went on a live stream on X. As all of you are aware, Bybit experienced a hack on our Ethereum code wallet.
And kept people informed for more than an hour about what was happening. I'm intending to make this live stream go a bit longer so I can answer all of our communities' questions, concerns, and any issues we can address.
People are sending in questions, that kind of thing. And they managed to get some backup loans from all their investors and everything like that.
And they've managed to already recover in the sense that they bought back the Ethereum that they lost. And now there's this massive hunt to try and get some of the money back from the hackers who are trying to launder it through the Bitcoin network.
But it showed to me just how much money there is in cryptocurrency right now, when a company can lose $1.46 billion, and then within a couple of days, get back on an even keel. It's absolutely insane.
And I'm sure one of the questions that people were asking the Bybit CEO straight away is, who's responsible for this? How quickly did the evidence start to point in one particular direction? Very quickly, almost instantly, we saw the money didn't just go to a hacker's wallet, it went to wallets that are linked to North Korea. The Lazarus Group in particular, which are a infamous hacking team that is run by and sponsored and tasked by the North Korean regime.
They've never admitted this, of course, but it's been going now for at least 10 years. And they've been responsible for some of the biggest crypto thefts, well, all of the biggest crypto thefts in history.
The one I mentioned a little while ago, the $600 million one in 2022, that was the Lazarus Group. I've got a list here because I can't remember them all.
So we go back to 2016 when they attacked Bangladesh Bank and tried to make off with a billion dollars. They didn't.
They only made off with 81 million. The 81 million dollar money laundering scandal is now considered one of the biggest bank heists in Asia.
But how exactly did thieves steal such a huge amount of money? It's not a bad payday, but not as good as they wanted. They have done lots of ATM attacks where they get ATMs to spit out money all over the world and they can cash in and get the money back to North Korea.
There was an attack on a crypto exchange called Qcoin in 2021, and that was $275 million stolen initially. Most of it was recovered.
2022, that was the Ronan Bridge $600 million attack. And there's also been other attacks that have been linked to the Lazarus Group that are more kind of espionage-based.
The FBI is investigating that destructive cyber attack at Sony Pictures. The Bureau is now warning other companies they could be next.
Sony Pictures. Sony Pictures was, yeah, that's the big one, 2014.
Sources say the cyber attack on Sony Pictures used an especially aggressive malware, capable of erasing hard drives and crashing computer networks. Hackers calling themselves the guardians of peace stole the personal information of more than 6,000 Sony employees.
The history there, of course, is absolutely fascinating in that there was a film that was created by Seth Rogen and James Franco. The Interview is what it was called.
All fictional, all satire, all comedy, but it was about essentially those two actors or their characters going to North Korea to do an interview with Kim Jong-un and being tasked with his assassination. And, of course, the Koreans did not like this one bit.
And they hacked Sony Pictures and caused a huge amount of financial damage to that company in response. Then there was another one in 2017, which was a kind of out of control crypto worm.
All of these things are very, very unusual in terms of cyber capabilities for a country. Because normally, every country has a hacking group, hacking team.
Normally, it's about espionage, power exertion, sometimes intellectual property theft. But North Korea is the only country that has so heavily gone down, especially in the last five years, the route of financial gain.
So there is a proven link between the Lazarus group and the North Korean government? Yes, this has been allegation for many, many years now by the West, so much so that the FBI has released not only names, but pictures of the North Korean hackers that they think and they say are responsible for being part of Lazarus Group. The regime has never admitted this, of course, but no country ever admits that it hacks.
And certainly the latest hack, this Bybit 1.46 billion history making hack, straight away, people said, well, look at the method here that was used. And then more importantly, look at where the money's going and what's happening to it afterwards.
Because with cryptocurrency, as we know, every single time any money is transferred from one person to the next,

you can see it on the blockchain. There's a record of it forever.
And straight away,

people looked at this and said, ah, this looks like Lazarus. The pattern.
Yeah, exactly.

So we've looked at what happened and who is behind it. Next, how is the world responding

to history's biggest heist? And are we more vulnerable to hackers than ever before? This is The Global Story. We bring you one big international story in detail five days a week.
Follow or subscribe wherever you listen. With me is our cyber correspondent, Joe Tidy.
Joe, these funds, can they be tracked? Yeah, that's the incredible thing, because of course, every time anyone does anything in cryptocurrency, it's all on the blockchain, which is the thing that underpins this brand new type of money. If I sent you some Bitcoin, for example, from my wallet to your wallet, it would be shown there would be a random jumble of numbers, which is my wallet, a random jumble of numbers and letters, your wallet, and you can see that Bitcoin went there.
So straight away, the incredible thing was 1.46 billion. Where's it gone? Oh, it's gone there.
You can see where it's gone, but it's gone to the wrong place. So then, of course, you've got crypto sleuths around the world who are watching the money being split up into thousands of different amounts across different wallets around the cryptocurrency system and then funneled through various different systems.
Because the difficulty, of course, for the North Koreans is, or any hacker stealing cryptocurrency is, how do you get it into cash? Because that huge amount of money is fine if you want to invest in cryptocurrency or if you live in a country where cryptocurrency can be spent on things. But actually, really, you need cold, hard cash.
And the ultimate aim is to cash out. Absolutely.
And that is the difficulty because everything's being watched. And there are dedicated companies now, forensic crypto investigators who are following this money going around the blockchain.
And they've been doing it for years. And one of them, I spoke to him, he's the founder of one called Elliptic, and it's Tom Robinson, and he said that this is a full-time job, watching that money move around the blockchain.
So what we're looking at is the transactions made by the launderers after they'd stolen this $1.46 billion from Bybit. And you can see the funds subsequently being fanned out across very many different transactions to confuse the money trail, make it more difficult to follow the funds.
And what they're really trying to do here is to slow down the tracing of these funds, because every minute really matters here. So the North Koreans and other hackers as well, but the North Koreans are particularly good at this now.
They have developed really sophisticated systems, techniques, patterns and behaviours to try and obscure the origin of that money so that when it goes to an exchange, we can exchange it for real money, then they can get away with it, essentially. The amazing thing about cryptocurrency is that it's pseudo anonymous.
So you can track it and you can see it and you can find out where it's from and where it's going to, but you don't know who owns it. If it was traditional banking and I stole 1.46 billion from a bank, straight away I have to send it to another bank and that bank has my name, my address, it can freeze the funds, it can recover it.
With crypto, you can just watch this money bouncing around and until it hits a legitimate company that has some sort of control, there's nothing you can do. Is there any way to reverse this hack, Joe? No, it's torture for the blockchain watchers here and the authorities because they can see it all there, all the money's still there.
Until it, what we call, goes dark, which means that they cannot see it anymore. It's all on the blockchain.
And the company Bybit just sits there and watches their money being shoved around the blockchain. Nothing they can do.
The only thing that is possible is that when some of that money hits another exchange, then they can say to that exchange, oh, please, freeze that. We think it's come from the Bybit hack.
And if that cryptocurrency exchange is legitimate and is mainstream enough, then they will comply. But there are, of course, lots of exchanges that aren't.
Is there a way then that Bybit can get these funds back? Yeah, when they do hit an organisation that cooperates, they are able to freeze it. And what's amazing about this current situation is not only is it the biggest crypto heist ever, but Bybit is so angry about this, as you would be, that they have started a really unique project called the Lazarus Bounty.
They've said, we are waging war on the Lazarus Group. And what they're asking people around the world to do, volunteers, is to watch the blockchain and try and track some of the money from the hack.
If they can get it frozen, then these volunteers are being given money. And so far, I think the last time we looked, about 17 people had been helping.
They are confirmed to have done some really good work on tracking the money. And they've recovered, I think, about $40 million, which is a decent chunk of money.
Obviously, doesn't really make a dent in the 11.46 billion but they're also being awarded that money. So $4.5 million has so far been given to volunteers who are tracking the money going through the system and helping.
And I've spoken to one of them and he's been given $150,000 already. So not a bad day's work, really.
That's not bad. I guess Bybit are also angry at these exchanges that are failing to block the funds as well which have been flagged.
Yeah and they've got on the website there's this live tracker of they're calling the good actors so the good people out there who are stopping and helping and then they had the word bad actors but they've changed that now to alert actors because I think they want to be careful not to upset anybody but the one there's only one company name on that alert or bad actors list, and that's a company called EXCH, which is this fascinating company that operates in a real kind of grey zone of cryptocurrency. They are a non-KYC crypto exchange, which means that they don't comply with the usual KYC, know your customer rules, that every other legitimate one does.
So if you today wanted to go and join up to a cryptocurrency exchange, Bybit, Binance, whatever, you have to give them your passport, you have to do face ID, you have to have an email address in order for them to make sure that you're not a criminal or whatever. Whereas EXCH believes in the anonymity and the privacy of cryptocurrency, these sort of foundational tenets of this technology.
So they don't want to do any of that. They don't agree with any KYC stuff.
And they have not stopped the money going through. So we know that about $94 million so far of the Bybit hack has been funneled through EXCH, been waved on through as if it's anything, you know, whatever, because they didn't stop it.
And I spoke to the founder of EXCH, who is an Austrian man. He's currently apparently doing some sort of conservation exercise in the middle of the Pacific on Howland Island.
So he can't talk to me or do an interview, which is a shame. But he said that, yes, we did allow the money to go through, but that's because we believe in the anonymity and protections of cryptocurrency, but also because we're having a row with Bybit and we're in a bit of a hoo-ha with them.
So there's this amazing sort of like, you've got on one hand, the cryptocurrency industry rallying around Bybit and going against Lazarus Group, trying to get some of this money stopped. And then you've got this fracture, which has been exposed in the cryptocurrency industry, where you've got the sort of like the old school versus the new school.
So here we have potentially the biggest heist ever. All the kind of fingers are pointing at the Lazarus Group.
If you're a government around the world, what can you do? What are they doing? Not very much. It's difficult because even if you manage to find out who the hackers are and you have names, addresses, photographs, how can you arrest them? Because, of course, the North Koreans don't cooperate with international requests for extraditions, that kind of thing.
So we have seen in the past, Lazarus Group is so prolific and infamous now that the FBI has on their cyber most wanted list, which is updated all the time with new names of people that they want to get, most wanted in the world. They have now a couple of these guys from Lazarus Group, which they've put on 2020.
Again, names, addresses. What else can you do, really? I mean, that's pretty much it.
The incredible thing about the North Korean regime is cybercrime is a part of the economy now. They just accept that as being a way to bring money in because, of course, they're so heavily sanctioned by the international community.
They're a very poor country, haven't got much natural resources. I spoke to one cybersecurity expert called Dr.
Dorit Dor from Checkpoint, and she said that this is really an industry for the country now. They don't have their own internal resources.
They are a very close system, very close economy. They don't have a successful industry for anything.
So they created a successful industry for Hatton, and they don't care about the negative impression of cybercrime. This is a way to get around the sanctions.
And presumably the Lazarus group, it makes it sound as if they're just a group of people sitting in a building somewhere in Pyongyang. But that's not how it works, right? They work in clusters in different places.
Yeah. And there's a lot of them as well.
The North Koreans are thought to have a very active pipeline of taking talented children who are good at maths and turning them into superb hackers. And you've got the sort of the two elements, really.
You've got in hotels in China and in Pyongyang, you've got armies of very, very sophisticated hackers because this stuff takes a long time to plan, to execute. When you look at what they did with the 1.46 billion Bybit hack, it is remarkable the amount of steps you would have to take to pull that off.
So you've got that element and that requires very talented manpower. But the laundering as well, that's thought to be, you know, we're talking about a whole office filled with people who are tasked with trying to launder the money because it's a race against time to get the money out.
I was speaking to an expert yesterday who said that the only time that the laundering doesn't happen is between the hours of 3am and 7am because they're working in shifts and they're working around the clock and they're trying to get the money out as quickly as they can. The fact that this was so big and so complex and seemingly at the moment successful, does that also show, Joe, just how vulnerable we are at the moment? I wouldn't say we are, as in the general public.
I would say the Lazarus Group has exposed security failings in the cryptocurrency industry time and time again. I mentioned in my list there, you've got Qcoin, Ronin Network, now this.
There are others as well. They have pivoted quite heavily from traditional finance, banks, ATMs, the Swift network, very, very heavily into cryptocurrency for a reason.
And that's because the cryptocurrency industry is very dispersed in its security, young, move fast, break things, that kind of, you know, attitude. And they are showing that there are major problems in the crypto world.
Like every conversation at the moment, it feels like we can somehow pivot back to President Trump. So I'm going to do that because everybody also knows how much the president loves crypto.
OK, let's catch you up on the latest from the White House over the weekend. President Trump says that the U.S.
will move forward with what he calls a crypto strategic reserve. Now, this is a shift in language from what was previously being referred to as a stockpile.
This afternoon, I'm laying out my plan to ensure that the United States will be the crypto capital of the planet and the Bitcoin superpower of the world. And he's announced perhaps the creation of what he's saying will be a crypto reserve.
What would that mean, Joe? And would that put federal money at risk? Yes, for sure. The crypto strategic reserve is an idea that was laughed at a few years ago.
But then El Salvador, President Bukele started one, a big crypto Bitcoin fan. And it's proven to be very profitable because if you buy low and the coins keep going up, then it's like gold, isn't it? People say that Bitcoin, for example, is the new gold.
That I think is the thinking behind the strategic reserve idea. But anytime you stockpile anything, the bigger the stockpile, the more likely you are to be at risk of hacking.
I would be terrified if I was in charge of securing what's going to be probably, if they go through with it in America, the largest reserve of cryptocurrency in history. We're talking hundreds of billions of dollars potentially.
But surely a hack like this also impacts how people feel about crypto and how confident they feel about it. Yeah, I think if you look at the price of crypto and Bitcoin, sort of the green squiggly line of Bitcoin value, that is the barometer of the health and confidence in the crypto world.
And after this Bybit hack, it took a dip. Other things happened as well.
But that seems to be the kind of the reason it went from, I think it was like $96,000 per coin to about 83 or something like that. It's sort of like coming back up a bit.
But every single time this happens, it does completely understandably knock the confidence in what is a very complicated and fast moving industry. And one of the things about crypto, which people say is a real bonus, is that you can become your own bank.
But it's a frightening prospect when you know there are people out there who are willing to go to extreme lengths to hack you. Thanks so much, Jo.
Thank you.

If you enjoyed listening to The Global Story

and would like to hear more,

there's a new episode every weekday.

Just search for The Global Story

wherever you get your BBC podcasts

and be sure to click subscribe or follow.

We'll have another edition of The Global News Podcast later.

Until then, bye-bye.