Global News Podcast - The Global Story: How North Korean hackers launched history's biggest heist
Episode Date: March 9, 2025In February, hackers stole almost $1.5bn from the crypto trading platform, Bybit. Intelligence agencies blame Lazarus, an elite hacking group linked to North Korea. As the US announces a strategic cry...pto reserve, are we more vulnerable to cyber threats than ever before?
Transcript
Discussion (0)
Hello, this is the Global News Podcast from the BBC World Service. I'm Valerie Sanderson
with your weekly bonus from the Global Story, which brings you a single story with depth
and insight from the BBC's best journalists. There's a new episode every weekday. Just
search for the Global Story wherever you get your pods and be sure to subscribe so you
don't miss a single episode. Here's my colleague Lucy Hawkins.
It is likely the biggest heist in history.
When the cryptocurrency trading platform Bybit was targeted last month,
hackers managed to steal almost $15 billion dollars in just two minutes.
And as a race against time began to stop the culprits cashing out, it didn't take long
for fingers to point in one direction – North Korea.
The secretive country has long faced allegations of state-sponsored hacking via the elite Lazarus
Group to prop up its ailing economy.
But analysts suggest its malicious activity is on the rise.
So after this latest mega-theft, how are intelligence agencies fighting back?
And are we more vulnerable to hackers than ever before?
hackers than ever before. With me today is the BBC cyber correspondent, Joe Tidy. Hi, Joe.
Hi.
Talk us through what happened.
Well, it all happened on Friday night, which is normally when the hackers strike because
people are off sort of let their guard down. And what it is, is this company called Bybit
is a cryptocurrency exchange. Binance, a really famous coin base,
they're the kind of the biggest in the world, but Bybit is also very big, about 60 million
customers. And what you do with this app is that you exchange your pounds, dollars, rupees, whatever
for Bitcoin, Ethereum, any cryptocurrencies, obviously thousands of them. And like any kind
of shop or bank or business, there is a float which
Bybit has what they call a hot wallet, which is where all the money is that's coming in
and going out, coming in and going out all the time, every second money's coming in and
going out. And when that float goes down, they need to get more money in. And they've
got something called a cold wallet. Just imagine a giant safe in a bank, you know, you've got
the ATMs running cash all day, but you need to go and get more money out of the safe.
So the cold wallets are offline, they are safe from hackers,
they often store a heck of a lot of cryptocurrency,
and they need to find a way of course to transfer that cryptocurrency from the cold wallets
to the hot wallets. Bybit says this happens maybe every two or three weeks, it's quite a regular
thing, but the hackers decided that they would exploit the transfer mechanism that they used to Bybit says this happens maybe every two or three weeks. It's quite a regular thing.
But the hackers decided that they would exploit the transfer
mechanism that they used to get from the cold to the hot.
And they hacked into the employee of a company called
Safe Wallet, which does those transfers.
When Bybit pressed Send on their computers,
everything looked normal.
So they pressed Send on $1.46 billion worth of Ethereum and it didn't go
to the Bybit hot wallet, it went to the hackers. Cryptocurrency exchange, Bybit disclosing on
Friday that it was hacked in what could be the largest crypto heist ever. So Safe Wallet was not
so safe. Indeed, these are the headlines we're reading now. Have we seen anything, Joe, on this
kind of scale before? No, this is the biggest crypto theft in history. There have been some absolutely enormous ones
before this, but the most recent record breaker was a couple of years ago, which was
called the Ronin Network.
More trouble in crypto, a massive security breach affecting popular NFT game Axie Infinity
and the Ronin Network. Hackers stole more than $600 million, making it one of the largest hacks in the history
of decentralized finance.
So this, you know, this is absolutely dwarfing that.
And we think, we don't know for sure, but we think this is the biggest ever theft in
history full stop.
So that's not just crypto, and crypto does go missing quite a lot in large chunks, but
there's been no single heist this big.
And Bybit, I mean, what a moment for them realising what's happened, given it initially
looked like an absolutely normal transaction.
How did they then respond?
Yeah, Bybit, obviously absolutely stunned by this because it wasn't just that there
was one person verifying the transaction from the cold wallet to the hot wallet.
There was what they call multi-sig. There were lots of people involved in this from the company,
including the CEO, Ben Zhao, and they looked at it and they said, yeah, that all looks good. We'll
all sign that. Bish, bash, bosh. Oh dear, where has it gone? Half an hour after the transaction,
the CEO said he got a phone call from his security guy and he knew something was wrong instantly.
He said, have we been hacked? He said,
yes. And they thought initially that it was about 30,000 Bitcoin, which is a lot of money, millions
and millions. But he said, no, Ben, I'm sorry, this is much more serious. This is the entire cold
wallet drained 401,000 Ethereum coins, $1.46 billion. So then of course, to Bybit's credit, there was this crisis situation.
Is this going to cost the company?
Is this going to cost customers?
We've seen in the past when hacks have happened, people have lost money, individual users of
that service.
But Bybit, to its credit, managed to keep the communication channels open.
Hello everyone.
So thank you for tuning in.
Very unusually, the CEO went on a live stream on Next.
As all of you are aware, Bybit experienced a hack on our Ethereum code wallet.
And kept people informed for more than an hour about what was happening.
I'm intending to make this live stream go a bit longer so I can answer all of our communities'
questions, concerns and any issues
we can address.
People are sending in questions, that kind of thing.
And they managed to get some backup loans from all their investors and everything like
that.
And they've managed to already recover in the sense of they kind of they bought back
the Ethereum that they lost.
And now there's this massive hunt to try and get some of the money back from the hackers
who are trying to launder it through the Bitcoin network. But it showed to me just how much money there is in cryptocurrency
right now. When a company can lose $1.46 billion and then within a couple of days get back
on an even keel, it's absolutely insane.
And I'm sure one of the questions that people were asking the Bybit CEO straight away is
who's responsible for this? How quickly did the evidence start to point in one particular direction?
Very quickly, almost instantly, we saw the money didn't just go to a hacker's wallet,
it went to wallets that are linked to North Korea.
The Lazarus Group in particular, which are an infamous hacking team that is run by and
sponsored and tasked by the North Korean regime.
They've never admitted this of course, but it's been going now for at least 10 years.
And they've been responsible for some of the biggest crypto thefts,
well all of the biggest crypto thefts in history.
The one I mentioned a little while ago, the $600 million one in 2022, that was the Lazarus Group.
I've got a list here because I can't remember them all. So we go back to 2016 when they attacked Bangladesh Bank and tried to make off
with a billion dollars. They didn't. They only made off with 81 million. The 81 million dollar
money laundering scandal is now considered one of the biggest bank heists in Asia. But how exactly
did thieves steal such a huge amount of money? It's not a bad payday, but not as good as they wanted.
They had done lots of ATM attacks where they get ATMs to spit out money all over the world
and they can cash in and get the money back to North Korea.
There was an attack on a crypto exchange called Qcoin in 2021,
and that was $275 million stolen initially. Most of it was recovered.
2022, that was the Ronan Bridge $600 million attack.
And there's also been other attacks
that have been linked to the Lazarus Group
that are more kind of espionage-based.
The FBI is investigating
that destructive cyber attack at Sony Pictures.
The Bureau is now warning other companies
they could be next.
Sony Pictures was, yeah, that's the big one, 2014. Sources say the be next. Sony Pictures was yeah that's the big one 2014.
Sources say the cyber attack on Sony Pictures used an especially aggressive
malware capable of erasing hard drives and crashing computer networks.
Hackers calling themselves the guardians of peace stole the personal information
of more than 6,000 Sony employees.
The history there of course is absolutely fascinating in that there was a film that
was created by Seth Rogen and James Franco, The Interview is what it was called.
All fictional, all satire, all comedy, but it was about essentially those two actors
or their characters going to North Korea to do an interview with Kim Jong-un and being
tasked with his assassination.
And of course the North Koreans did not like this one bit, and they hacked Sony Pictures
and caused a huge amount of financial damage to that company in response.
Then there was another one in 2017, which was kind of out of control, crypto worm.
All of these things are very, very unusual in terms of cyber capabilities for a country. Because normally every country
has a hacking group, hacking team. Normally it's about espionage, power exertion, sometimes
intellectual property theft. But North Korea is the only country that has so heavily gone
down, especially in the last five years, the route of financial gain.
So there is a proven link between the Lazarus group and the North Korean government.
Yes, this has been an allegation for many, many years now by the West, so much so that
the FBI has released not only names but pictures of the North Korean hackers that they think
and they say are responsible for being part of Lazarus group.
The regime has never admitted this, of course, but no country ever
admits that it hacks. And certainly the latest hack, this Bybit 1.46 billion history-making
hack, straight away people said, well, look at the method here that was used. And then
more importantly, look at where the money's going and what's happening to it afterwards.
Because with cryptocurrency, as we know, every single time any money is transferred from
one person to
the next, you can see it on the blockchain, there's a record of it forever, and straight
away people looked at this and said, ah, this looks like Lazarus.
The pattern.
Yeah, exactly.
So we've looked at what happened and who is behind it.
Next, how is the world responding to history's biggest heist?
And are we more vulnerable to hackers than ever before?
This is the Global Story. We bring you one big international story in detail five days
a week. Follow or subscribe wherever you listen.
With me is our cyber correspondent, Joe Tidy. Joe, these funds, can they be tracked?
Yeah, that's the incredible thing because of course every time anyone does anything in cryptocurrency,
it's all on the blockchain, which is the thing that underpins this brand new type of money.
If I sent you some Bitcoin, for example, from my wallet to your wallet, it would be shown.
There would be a random jumble of numbers, which is my wallet, a random jumble of numbers
and letters, your wallet, and you can see that Bitcoin went there.
So straight away, the incredible thing was 1.46 billion, where's it gone?
Oh, it's gone there.
You can see where it's gone, but it's gone to the wrong place.
So then of course, you've got crypto sleuths around the world who are watching the money
being split up into thousands of different amounts across
different wallets around the cryptocurrency system and then funneled through various different
systems.
Because the difficulty of course for the North Koreans is, or any hacker stealing cryptocurrency
is how do you get it into cash?
Because that huge amount of money is fine if you want to invest in cryptocurrency or
if you live in a country where cryptocurrency can be spent on things,
but actually really you need cold hard cash. And the ultimate aim is to cash
out. Absolutely and that is the difficulty because everything's being
watched and there are dedicated companies now, forensic crypto
investigators who are following this money going around the blockchain and
they've been doing it for years.
And one of them, I spoke to him, he's the founder of one called Elliptic and it's Tom
Robinson and he said that this is a full-time job watching that money move around the blockchain.
So what we're looking at is the transactions made by the launderers after they'd stolen
this $1.46 billion from Bybit.
And you can see the funds subsequently being fanned out across very many different transactions. To confuse the money trail,
make it more difficult to follow the funds. And what they're really trying to
do here is to slow down the tracing of these funds because every minute really
matters here. So the North Koreans and other hackers as well, but the North
Koreans are particularly good at this now. They have developed really
sophisticated systems, techniques,
patterns and behaviours to try and obscure the origin of that money so that when it goes
to an exchange, we can exchange it for real money, then they can get away with it essentially.
The amazing thing about cryptocurrency is that it's pseudo-anonymous. So you can track it and you can see it and you can find out where it's from and where
it's going to.
But you don't know who owns it.
If it was traditional banking and I stole 1.46 billion from a bank, straight away I
have to send it to another bank and that bank has my name, my address, it can freeze the
funds, it can recover it.
With crypto, you can just watch this money bouncing around and until it hits a legitimate company that has some sort of control, there's
nothing you can do.
Is there any way to reverse this hack, Joe?
No, it's torture for the blockchain watchers here and the authorities because they can
see it all there. All the money is still there until it what we call
goes dark, which means that they cannot see it anymore. It's all on the blockchain. And
the company Bybit just sits there and watches their money being shoved around the blockchain,
nothing they can do. The only thing that is possible is that when that some of that money
hits another exchange, then they can say to that exchange, oh, please freeze that.
We think it's come from the Bybit hack. And if that cryptocurrency exchange is legitimate
and is mainstream enough, then they will comply. But there are of course lots of exchanges
that aren't.
Is there a way then that Bybit can get these funds back?
Yeah, when they do hit an organisation that cooperates, they are able to freeze it. And
what's amazing about this current situation is not only is it the biggest crypto heist ever, but Bybit
is so angry about this, as you would be, that they have started a really unique project
called the Lazarus Bounty. They've said we are waging war on the Lazarus Group. And what
they're asking people around the world to do, volunteers, is to watch the blockchain
and try and track some of the money from the hack. If they can get it frozen, then these volunteers are being given money.
And so far, I think the last time we looked about 17 people had been helping. They are confirmed to
have done some really good work on tracking the money. And they've recovered, I think, about $40
million, which is a decent chunk of money. Obviously, it doesn't really make a dent in the 1.46 billion, but they're also being awarded that money. So $4.5 million has so
far been given to volunteers who are tracking the money going through the system and helping.
And I spoke to one of them and he's been given $150,000 already. So not a bad day's
work.
That's not bad. I guess Bybit are also angry at these exchanges that are failing
to block the funds as well which have been flagged. Yeah and they've got on the website,
there's this live tracker of they're calling them the good actors, so the good people out there who
are stopping and helping and then they had the word bad actors but they've changed that now to
alert actors because I think they want to be careful not to upset anybody. But there's only one company name on that alert or bad actors list, and that's a company
called EXCH, which is this fascinating company that operates in a real kind of gray zone
of cryptocurrency.
They are a non-KYC crypto exchange, which means that they don't comply with the usual
KYC, know your customer rules
that every other legitimate one does.
So if you today wanted to go and join up to a cryptocurrency exchange, buy a bit, Binance,
whatever, you have to give them your passport, you have to do face ID, you have to have an
email address in order for them to make sure that you're not a criminal or whatever. Whereas EXCH believes in the anonymity and the privacy of cryptocurrency, these sort of foundational
tenets of this technology. So they don't want to do any of that. They don't agree with any KYC
stuff and they have not stopped the money going through. So we know that about $94 million so
far of the Bybit hack has been funneled through EXCH,
been waved on through as if it's anything, you know, whatever, because they didn't stop it.
And I spoke to the founder of EXCH, who is an Austrian man. He's currently apparently doing
some sort of conservation exercise in the middle of the Pacific on Howland Island. So he can't
talk to me or do an interview, which is a shame.
But he said that, yes, we did allow the money to go through, but that's because we believe
in the anonymity and protections of cryptocurrency.
But also because we're having a row with Bybit and we're in a bit of a hoo-ha with them.
So there's this amazing sort of like you've got on one hand, the cryptocurrency industry
rallying around Bybit and going against Lazarus Group trying to
get some of this money stopped and then you've got this fracture which has been exposed in the
cryptocurrency industry where you've got the sort of like the old school versus the new school.
So here we have potentially the biggest heist ever. All the kind of fingers are pointing at
the Lazarus Group. If you're a government around the world, what can you do?
What are they doing?
Not very much.
It's difficult because even if you manage to find out who the hackers are,
and you have names, addresses, photographs, how can you arrest them?
Because, of course, the North Koreans don't cooperate with international requests
for extraditions, that kind of thing.
So we have seen in the past, Lazarus Group is so prolific
and infamous now that the FBI has, on their cyber most wanted list,
which is updated all the time with new names of people
that they want to get most wanted in the world.
They have now a couple of these guys from Lazarus Group,
which they've put on 2020.
Again, names, addresses.
What else can you do really?
I mean, that's pretty much
it. The incredible thing about the North Korean regime is cybercrime is a part of the economy
now. They just accept that as being a way to bring money in because of course, they're
so heavily sanctioned by the international community. They're a very poor country, haven't
got much natural resources. I spoke to one cyber security expert called Dr. Dorit Dore
from Checkpoint, and she said
that this is really an industry for the country now.
They don't have their own internal resources.
They are very close system, very close economy.
They don't have a successful industry for anything.
So they created a successful industry for hacking.
And they don't care about the negative impression of cybercrime.
This is a way to get around the sanctions.
And presumably the Lazarus group, it makes it sound as if they're just a group of people sitting
in a building somewhere in Pyongyang, but that's not how it works, right? They work in clusters in
different places.
Yeah, and there's a lot of them as well. The North Koreans are thought to have a very active
pipeline of taking talented children who
are good at maths and turning them into superb hackers. And you've got the sort of the two
elements really you've got in hotels in China and in Pyongyang, you've got armies of very,
very sophisticated hackers because this this stuff takes a long time to plan to execute.
When you look at what they did with the 1.46 billion Bybit hack,
it is remarkable the amount of steps you would have to take to pull that off. So you've got that
element and that requires very talented manpower. But the laundering as well, that's thought to be,
you know, we're talking about a whole office filled with people who are tasked with trying
to launder the money because it's a race against time to get the money out. I was speaking to an
expert yesterday who said that the only time that the laundering doesn't
happen is between the hours of 3am and 7am because they're working in shifts and they're working
around the clock and they're trying to get the money out as quickly as they can.
The fact that this was so big and so complex and seemingly at the moment successful,
does that also show Joe just how vulnerable we are at the moment?
I wouldn't say we are, as in the general public.
I would say the Lazarus Group has exposed security failings in the cryptocurrency industry
time and time again.
I mentioned in my list there, you've got Qcoin, Ronin Network, now this.
There are others as well.
They have pivoted quite heavily from traditional finance,
banks, ATMs, the Swift network, very, very heavily into cryptocurrency for a reason.
And that's because the cryptocurrency industry is very dispersed in its security, young, move fast,
break things, that kind of attitude. And they are showing that there are major problems in
the crypto world. Like every conversation at the moment, it feels like we can somehow pivot back to President
Trump. So I'm going to do that because everybody also knows how much the president loves crypto.
Okay, let's catch you up on the latest from the White House over the weekend. President
Trump says that the US will move forward with what he calls a crypto strategic reserve. Now
this is a shift in language from what was previously being referred to as a stockpile.
This afternoon I'm laying out my plan to ensure that the United States will be the crypto
capital of the planet and the bitcoin superpower of the world.
And he's announced perhaps the creation of what he's saying will be a crypto reserve. What would that mean, Joe, and would that put federal money at risk?
Yes, for sure.
The crypto strategic reserve is an idea that was laughed at a few years ago, but then El
Salvador, President Bukele started one, a big crypto Bitcoin fan, and it's proven to
be very profitable because if you buy low
and the coins keep going up, then it's like gold, isn't it?
People say that Bitcoin, for example, is the new gold.
That I think is the thinking behind the strategic reserve idea.
But any time you stockpile anything, the bigger the stockpile, the more likely you are to
be at risk of hacking.
I would be terrified if I was in charge of securing what's going to be probably, if they
go through with it in America, the largest reserve of cryptocurrency in history. We're talking hundreds
of billions of dollars potentially.
But surely a hack like this also impacts how people feel about crypto and how confident
they feel about it.
Yeah, I think if you look at the price of crypto and Bitcoin, sort of the green squiggly
line of Bitcoin value, that is the barometer of the health and confidence in the crypto world and after this buy-bit hack it
took a dip other things happen as well but that seems to be the kind of the
reason it went from I think it was like $96,000 per coin to about 83 or something
like that it's sort of like coming back up a bit but every single time this
happens it does completely understandably, not the confidence
in what is a very complicated and fast moving industry.
And one of the things about crypto, which people say is a real bonus, is that you can
become your own bank.
But it's a frightening prospect when you know there are people out there who are willing
to go to extreme lengths to hack you.
Thanks so much, Joe. Thank you.