World Of Secrets - Bonus: The Lazarus Heist special

Episode Date: September 2, 2025

The biggest heist yet - $1.5 billion disappears in minutes. But what follows reveals North Korea’s expanding reach — from elite hackers to soldiers on the battlefield. Listen to this special episo...de from The Lazarus Heist right here. The audacious attack was on the ByBit crypto exchange in February 2025. Investigators say North Korean hackers, the Lazarus Group, are responsible – the biggest heist in the history of crypto. With hosts Jean Lee and Geoff White, we uncover how they pulled it off.But as Pyongyang’s cyber army is striking targets all over the world, North Korean soldiers have also been fighting on more traditional battlegrounds – siding with Russia in its war on Ukraine. We meet the South Korean correspondent who secured a world-exclusive interview with a North Korean POW. Does this all signify a turning point for North Korean leader Kim Jong-un, as his cyber operatives pull off increasingly daring heists and his military gain real-world combat experience fighting with the Russians against Ukraine? As Kim continues to ally with Vladimir Putin — a leader whose country possesses exactly the kind of nuclear expertise North Korea has long sought – is he more dangerous than ever? Meanwhile North Korea says it has nothing to do with the cybercrimes the Lazarus Group is accused of, saying the United States is making these allegations to try and tarnish its image.To hear more about the hackers, search for The Lazarus Heist, wherever you get your BBC podcasts.

Transcript
Discussion (0)
Starting point is 00:00:00 Hi, I'm Jeff White, one of the hosts of The Lazarus Heist. There's a new season of World of Secrets coming soon, but before that, we thought you'd like to hear this special episode. It's about how hackers pull off the biggest heist in the history of crypto. $1.5 billion disappears in minutes, and investigators say the North Korean Lazarus Group are behind it. You can listen to the whole episode right here. And if you want to hear more, search for The Lazarus Heist, wherever you get your BBC podcasts. Friday night in Singapore, February 2025. The time, it's around 10.30, and the CEO of a big digital finance company is working late.
Starting point is 00:00:52 He's got one last job ahead of the weekend, moving money from one account to another. Pretty routine stuff. Routine, but still needs concentration. The money in question is in cryptocurrency and stored in a kind of digital vault. For safety, it's usually kept offline, disconnected from the internet. To use it, the CEO needs to bring it online, unlock it, and move money into a more accessible vault,
Starting point is 00:01:21 one that's open for business on the internet. Think of it like moving money from bank's underground vault up to the teller's desk. In this case, the CEO wants to move 30,000 Ethereum, one of the major cryptocurrencies, like Bitcoin. 30,000 Ethereum is a lot. The cash equivalent is more than 100 million US dollars. Multiple people need to sign off on the transfer before the exchange can go ahead. The CEO and his team individually make their checks.
Starting point is 00:01:51 30,000 Ethereum from offline Vault A into online Vault B. Yep, looks good. They click the buttons to make it happen. Done. Then the CEO moves on. It's Friday night, after all, things to do, people to meet. But half an hour later, the CEO's phone rings. It's his chief financial officer, his CFO.
Starting point is 00:02:15 Now, this is not a good sign. The CFO normally just sends a text. It's something very bad, the CFO tells him. Sound check, technical check. Are we live? We're all good? Okay, great. 90 minutes later, the CEO is online, broadcasting live. Hello, everyone. This is Ben from Bybit. I'm the CEO and co-founder of Bybit. And he's doing what no CEO wants to do.
Starting point is 00:02:44 This is a very difficult time. Well, about two hours ago, Bybit experienced a hack. Bybit is a cryptocurrency exchange. a place to trade digital currencies. You can swap your pounds or dollars for Bitcoin or Ethereum and a host of other coins and vice versa. And a lot of people use it. ByBit says it has 70 million users trading more than $36 billion a day.
Starting point is 00:03:15 CEO Benzo is up in the middle of the night to tell clients that a chunk of that money is gone, disappeared. So the maximum damage that we have witnessed currently so far It's the total amount of around 401,000 Ethereum. Now, that's way more than the 30,000 Ethereum. He thought he was transferring. It's 401,000 Ethereum, the entire contents of the vault. 401,000 Ethereum is worth an absolute fortune, almost $1.5 billion.
Starting point is 00:03:55 It's a $1.1.000. as if the thieves have backed up a fleet of trucks and emptied a bank vault. It was quite shocking. On the other side of the world, Warren Mercer is watching it all unfold in real time. He runs a crypto security firm called Hayden and used to do security for the New York Stock Exchange. It's his business to be alert to big movements in the crypto market. Every time Ethereum moves, it leaves a permanent trail like a receipt.
Starting point is 00:04:31 And all those receipts are stored in a giant public notebook called the blockchain. Anyone can open it. Anyone can watch. That's exactly what Warren was doing from his computer in Northern Ireland. He was watching the blockchain, like a live scoreboard. Even before Benzo started his live stream, Warren saw that a huge sum had moved out of Bybit's secure vault. The reaction was, oh, Bybit or moving funds, ByBit's always moving money around.
Starting point is 00:04:58 It's their core business after all. So it seemingly was, oh, that's fine, that's okay. But when Ben Zill comes out and says the crypto was stolen, Warren is dumbfounded. When you see a number like $1.5 billion, it's, I mean, it's a GDP of some nation states in reality. So it's a significant amount of money. And it's gone from Bybitt's Vault.
Starting point is 00:05:23 It took 2 minutes 26. seconds. That's nearly $10 million a second, almost certainly the fastest heist of all time. So once we saw that, it was a case of, wow, this is a bit crazy, what happened? This is what Benzo by a bit is also trying to figure out. So maybe I can go back to the story what exactly happened, at least from the latest update that I have gotten. Two hours after the hack, Ben has two theories. The hacker have managed to either somehow hack the UI of all of the signers' computer. Theory one, hackers have got into ByBits computers and manipulated them, old school hacking.
Starting point is 00:06:10 Or it could be, I'm just saying all the possibilities, I'm not accusing anything. It could be that the safe server was hacked, so it was sending this, but we don't know. Theory two, hackers got into the computers of the company. behind Bybitt's digital revolt. At this point, in the early hours of the morning in Singapore, all they know for sure is that they've just been hit, not by a bug or glitch, but by brazen thieves. As far as we know, this could be the largest hack in the history of our industry.
Starting point is 00:06:47 Not just the biggest hack in the history of crypto, but possibly the biggest heist of any kind of, in history, bigger than any bank job or art grab the world has ever seen. And that's just the beginning. From the BBC World Service, this is The Lazarus Heist. I'm Gene Lee. And I'm Jeff White. Our story is about more than money.
Starting point is 00:07:17 It's about where it goes, what it buys, and who's fighting in the shadows. Welcome to this special episode, the biggest heist yet. Earlier this year, just days before the heist, a man's phone lights up with a message. Finally, he's been waiting for this a long time. Go to this address, it says, with a link to a map. The place is a bit out of town. It's February. It's snowing. He packs some food into a bag and gets into a taxi. He shows the driver the address.
Starting point is 00:07:57 The driver stares at it a while in silence, then turns to give the man a look. Why do you want to go there? he asks. I have an appointment, the man says. The driver looks at him a bit longer, then looks back at the address, and then back at the man mulling what to do. Finally, he turns around and puts the car into gear.
Starting point is 00:08:18 They drive 40 minutes through the snow When they reach the address The driver doesn't want to get too close He stops at a parking lot And the man gets out The driver speeds off Leaving a cloud of exhaust fumes hanging in the cold air
Starting point is 00:08:37 The man stands for a moment to take in the scene On the other side of the car park He sees a large black metal gate Between two imposing buildings He starts walking toward the gate. It takes about 10 minutes trudging through the snow. Most of the vehicles he passes are military or have government plates. He finally arrives and approaches the guard hut.
Starting point is 00:09:02 I'm here for a visit, he tells the guard. The guard makes a phone call and then passes him some papers to fill in. And eventually, after a thorough search, he's allowed in. As I was going in, I got a feeling that it wasn't really like a building. It felt more like a dungeon. It was extremely dark. The walls were made of old black bricks, well, black stones. I started to wonder whether what I was getting pulled into was someplace really bizarre.
Starting point is 00:09:37 It's late afternoon and outside the sun setting. The man is led by guards deeper into this, dungeon, passing through several long corridors and thick steel doors. Finally, they stop in front of an old wooden door, and he's told he's reached his destination. You could say that I was a little scared. You can't help but be scared. This is a high-security prison, outside Kiev, where Ukraine holds prison. prisoners of war. The visitor has come to meet one particular high-profile inmate after weeks of negotiation with the Ukrainian government. He knows on the other side of that wooden door is someone
Starting point is 00:10:26 the whole world has been waiting to hear from, a North Korean soldier captured on the battlefield fighting Russia's war on Ukraine. Fighting a war in a foreign land. A sign of a more assertive and more ambitious North Korea. The man outside the thick wooden door is Chiluan Jung. He's a veteran correspondent for one of South Korea's major newspapers. The Joseon Ilbo. On the other side of the door is the North Korean soldier. This is a very unusual meeting for sure, one that's not normally sanctioned.
Starting point is 00:11:06 You know, for years it was illegal for South Koreans to contact North Koreans without the permission of their government. Chiluang has received this permission. Even so, he can't help but feel a bit nervous. And when the door swings open, he finds the man on the other side, pretty relaxed. He was lying down, resting. There was music coming from a small TV,
Starting point is 00:11:35 and, you know, he wasn't all that surprised when I walked in. Chaluan is trying to absorb every detail of this encounter. So when he greets the man, he doesn't bow as Koreans normally would. Instead, he extends his arm for a hands. He wants to feel the prisoner's hands. I couldn't believe how calloused they were. They really looked like the hands of someone who'd worked on a construction site for decades. I was thinking, could this really be the hand of a 26-year-old? The prisoner gives his name as Rui. His right arm is banned. and there's a scar on his chin.
Starting point is 00:12:13 The two men begin to talk. None of the guards could understand Korean, so they just let us know how much time we had and left us to it. There were no restrictions at all. It's just the two of them in the cell. Rhee reaches for the remote control and turns down the music. Chulwan reaches for the food he packed earlier in the day. I bought cup ramen noodles and brought them with me.
Starting point is 00:12:41 But you know how North Koreans like chokopai? I brought some chokopi with me as well. Charon knows food is scarce in North Korea. And like many South Koreans, he's pretty sure they have a thing for chokopies as well. All this food is meant to break the ice. But Rhee says he's been eating well in prison. And in fact, he wants something else. As soon as I walked in and started talking to him,
Starting point is 00:13:06 he wanted to know if I had any cigarettes. I felt so bad about not bringing any. I still feel bad about it. I could have told him that. North Koreans smoke a lot. Chulwan is struggling a bit now to connect with Rui. He tells him that he's a South Korean journalist, but says Rhee is confused. A journalist?
Starting point is 00:13:26 He was really surprised. Why would a journalist come all this way to speak to me? Chalhuan explains that he knows Rie has traveled a long way from home and has experienced the horrors of war. And as a fellow Korean, Chalwan says he wants to speak. to understand what Rhee has been through. And so, the ice begins to melt. Chiluan feels confident enough to ask Rui if he's willing to be recorded.
Starting point is 00:13:51 Rui says yes. This is their conversation. And I can tell right away that even though it's hard to understand him, there's no doubt that Rhee is from North Korea. His accent is very North Korean. And Reid tells Chalhuan how he grew up as an only child, always hungry, in the North Korean capital, Pyongyang. And he says he hasn't seen his parents since he joined the military 10 years ago. And how after all that time, he's still a private, the lowest rank.
Starting point is 00:14:28 But the questions don't just go one way. We also pumps Chilwan for information. Once he realized I knew about the outside world, he started asking a lot of questions. For example, How is the situation in Kursk now? Kersk, the Russian region where Rhee was captured and where many North Koreans have fought and died over the past year fighting Ukraine on behalf of Russia.
Starting point is 00:14:54 The battle has been shrouded in mystery. For months, Vladimir Putin and Kim Jong-un denied North Korean soldiers were even there. Now, Rhee's about to break that silence. But while the world was just beginning to grasp what North Korea's conventional army was doing on the battlefield thousands of miles from home. Its cyber army was also deep in enemy territory. As governments, generals and spies scrambled to understand why North Korea had joined Russia's war, another covert operation was under.
Starting point is 00:15:41 way to try to figure out what else North Korea was up to. Behind closed doors, investigators in the U.S. are trying to track Pyongyang's hackers, who they allege are behind a string of recent heists, and the hackers are moving fast. In May 2024, the Lazarus Group was accused of being behind a hit on a Japanese currency exchange, stealing crypto worth more than $300 million. Soon after, they hit an Indian exchange, taking another 235. million. That's half a billion dollars in just two months. At the time, Chris Wong was an FBI agent dedicated to tracking North Korean hackers. He spent years analyzing their tactics and unpicking their attacks, something that has not gone
Starting point is 00:16:27 unnoticed among his colleagues. I was chatting with somebody when I was still on the FBI and they were like, well, what are you looking at today? And explained a theft that had occurred that was perpetrated by North Korea. And he's like, oh, so you're looking at a theft that occurred last month that is worth more than all of the actual bank robberies that occur in the United States in a year. And I was like, yeah, yeah, it sounds about right. When news of the bybit theft broke, Chris knew he needed to get on top of it. And the first big question, who done it? There was naturally a lot of speculation that it was the Lazarus group.
Starting point is 00:17:07 But Chris Wong and the FBI need hard evidence. So Chris and his colleagues begin to follow the money. Remember, all Ethereum transactions are visible on the blockchain. You can see it move from account to account in real time. Chris, with a decade of experience in the FBI tracking North Korean hackers, is looking for familiar patterns. Long-time listeners will know about the ingenious ways the Lazarus Group has gone about laundering stolen crypto. But FBI investigators like Chris Wong know this game intimately.
Starting point is 00:17:39 As I first started watching the bi-bit laundering occurring, I was hoping it might be like other thefts that have occurred where assets might move out. And then they're parked for a period of time. It could be weeks, could be months. The Lazarus Group's tried and tested strategy was to steal crypto, sit on it for a while, and then methodically run it through a complicated money laundering system, where they mix up stolen crypto with legit funds. trying to hide it before cashing out into hard currency. But that definitely wasn't the case with the buy-bit funds. And so what I saw on the blockchain there was that after an initial dispersion into a number of different addresses in rapid fashion,
Starting point is 00:18:25 constantly 24-7, there's no breaks, which is pretty tough to keep up with. So previously you would have had maybe in a few weeks from what you described, maybe in a few months to look at the trails, to monitor where it's going, to kind of get a handle on it. But with this, I mean, you're talking about every second that you are watching it, money's starting to move around. If you're breaking $1.5 billion up into $50,000 chunks of cryptocurrency, that's 30,000 transactions. You guys are going to have to correct my math, but that's like almost 90 transactions in an hour. 90 transactions an hour. That's more than one a minute.
Starting point is 00:19:06 This is like a high-speed car chase, cops chasing robbers. Those trucks that hauled away by bits $1.5 billion, they're now splitting off. All the while, siphoning off the stolen cash into thousands of smaller trucks, which, in turn, are scattering in every direction. So the scale of that and trying to apply people to be able to trace those funds in real-time. is challenging in the extreme. If you're tracing any assets that are moving like this, any break that you take, you're behind. And Chris Wong knows, fall behind and it's over.
Starting point is 00:19:49 There's no hope of catching the criminals. So they kept at it. And after five days and nights, the FBI was able to identify who they believe was behind it. Even the most cautious criminals leave clues. The FBI followed the trail to 51 Ethereum address. Each, a digital fingerprint left behind by the thieves. And those fingerprints all pointed in one direction.
Starting point is 00:20:18 North Korea. The FBI made it official, declaring Kim Jong-un's regime, was behind the attack. The Lazarus Group strikes again. No guns, no borders. How are they? doing this? This is not just a one-and-a-half billion-dollar question for By-Bit. It is a multi-trillion dollar question for the entire cryptocurrency world.
Starting point is 00:20:49 Because if hackers can steal one-and-a-half billion from By-Bit, how much can they get from everyone else? Is anyone's money safe? On the same day, the FBI blames the Bybit theft on North Korea, Bybit declares war on the Lazarus Group. Not willing to leave it all to law enforcement, Bybit CEO Benzo calls on members of the crypto community to become bounty hunters.
Starting point is 00:21:28 He makes an offer. Anyone that shares information that helps trace and freeze the stolen crypto can take a 5% cut. of whatever is recovered. That could be a sizable chunk of change. The challenge is announced on social media. We will not stop until Lazarus is eliminated, so wrote, ending in all caps.
Starting point is 00:21:48 Let the hunting season begin. That sounds like some dramatic movie trailer, but this is real life, and it reveals something deeper. Bybit is desperate. Desperate to get its money back, and desperate to prove to customers that it can protect their funds. But tracking and freezing this money is incredibly hard.
Starting point is 00:22:14 Here's how to picture the problem. The Lazarus Group has stolen almost $1.5 billion worth of cryptocurrency. Imagine this crypto as a giant bag of red marbles. The Lazarus Group starts trading these stolen red marbles for other red marbles. Immediately, it's harder to not. know if any red marble is stolen or not. Then it starts trading these red marbles for marbles of other colours. Black, white, blue, green, yellow, purple, pink, orange. These marbles held by the Lazarus Group are now even harder to track, which colours are theirs now. Then, the real trick.
Starting point is 00:22:57 They take a hammer and smash all their marbles into pulverised dust and then blow it all over the internet. That's a great analogy. Yeah, I was thinking exactly that pulverized dust. That's what you've taken from big marbles or big rocks. That's 100%. Nick Carlson has spent his career tracking North Korea, first for the U.S. Army, where he learned Korean
Starting point is 00:23:25 and was deployed to one of the most heavily militarized regions in the world, the Korean DMZ that separates north from south. Then he spent 12 years as an intelligence. analyst with the FBI, specifically tracking North Korea's efforts to avoid sanctions. Now, he does the same kind of work for a cyber security company, TRM Labs. I did not get into crypto because I like crypto. I got into crypto because North Korea was stealing crypto. Extending that red marble analogy, Nick says a bounty hunter or investigator could still track
Starting point is 00:23:59 each particle of pulverized dust by following the thread left by its digital signature. There's nothing particularly challenging about following any one of these threads. I'm not saying anybody could sit down and do it. But with a little bit of training, I think most people could. But the challenge is the scale. There's just so much of this. There's so many threads to follow that it becomes unmanageable. This is not to say the hackers are home-free.
Starting point is 00:24:26 They have their own problem. Yes, they've turned their giant bag of red marbles into drifts of multicolored dust. but that dust is still fragments of crypto coins. They're not out there just trading coins because they want to. They're doing this to raise real money for the regime to go buy stuff, you know, fuel oil, components for weapons program, whatever. And you can't really buy that with cryptochance in it. Right, exactly. Not yet.
Starting point is 00:24:53 But so they need somebody to give them, you know, real money, something like dollars or Chinese yuan or whatever, that they can go then to buy these real things. And so they need to go and sell this money to brokers. And all the intermediate process, the laundering, that's just a smokescreen, right, to give them plausible deniability at the very end of this process to sell these stolen assets to a broker. The broker is a key person often overlooked in this equation. This is a person who solves a person who solves a person.
Starting point is 00:25:33 a specific problem for big criminal operations. A group of cybercriminals, such as the Lazarus Group, has a bunch of crypto marble dust to sell, but they want dollars, pounds, cash. A drug cartel, for example, has the opposite problem. Drug users usually pay cash. And as that money flows up the chain, those at the top can struggle with what to do with it all.
Starting point is 00:25:58 What's a drug lord to do? Well, in the case of Colombian drug lord Pablo Escobar, he just stuffed it in the walls of his home. $18 million was found stashed in the walls of one of his houses. Another drug bust in Mexico once turned up $200 million stuffed in the walls of a Mexico city mansion. Enter the broker, someone who can solve the problems of both parties. The solution, swap the cash for crypto. The drug lord's dollars are no longer holed up in a wall at risk of mice or mold or pesky police, They're safely stashed in digital vaults.
Starting point is 00:26:32 And the crypto thieves now have dollars that they can use to buy things in the real world. The broker takes a cut, and everyone's happy. Nick says cryptocurrencies have created an entirely new dynamic for the criminal cost. They've totally revolutionized the money laundering world. There is this enormous infrastructure that exists now because of the ravenous demand for the service of converting dirty cryptocurrency into real world currency, and the reverse, vice versa. So Nick, as an investigator, there's a sort of frustrating bit of this where you can trace it through the system, through the crypto system.
Starting point is 00:27:09 But at a certain point, if they sell it to somebody for just cash, then it's just cash in a bag somewhere in a suitcase. You lose your ability at that point, right? Yeah, no, it's, it is frustrating. I'll be honest. The Lazarus Group steals the crypto, brokers turn it into cash. But where it goes next matters most. Because this isn't just about getting rich.
Starting point is 00:27:35 It's about the power and ambition of one man. We are in a pretty sizable motorcade with limos and police cars and escorts and everything. Pyongyang, October 2018, Steve Began, is President Donald Trump's special representative for North Korea. We were making a racket. We were a big motorcade. This is not everyday stuff. Steve and a diplomatic entourage are rolling from Pyongyang-Sunan Airport to an exclusive guesthouse. Steve's traveled in motorcades around the world.
Starting point is 00:28:14 But when he looks out of the window in North Korea's capital, there's something odd. We would see people walking down the sidewalks, but none of them looked over. Even though they're the only cars on the road. They didn't even look. A guy in a sidewalk 20 feet away from all this hoopla and it doesn't even look up. So what do you make of that? How did you understand the North Green people based on observations like that? You can only conclude one thing.
Starting point is 00:28:40 There's nothing good that comes from being curious in that system. You look over and someone might see it looking over there. Just keep your head down, move along, nothing to be seen. That's how you survive in that system. They pull up at the guest house. The doors open, and Steve walks up the steps and into a ground hall. There facing him is the leader of North Korea, Kim Jong-un. And I went up and shook his hand, and the interpreter was there with me,
Starting point is 00:29:11 and he welcomed me to meet in North Korea and asked me if it was my first time. I said, yeah. There's a bit of chit-chat, but this is not a social visit. This is ultimately about trying to avoid war. Kim Jong-un wants relief from crippling U.S.-led sanctions that are strangling North Korea's economy. The United States wants an end to North Korea's nuclear program. The two sides move immediately into a conference room. There's a big table in the middle. Kim Jong-un and his team sit on one side.
Starting point is 00:29:43 Steve and his fellow American diplomats sit on the other. It's the beginning of a day of meetings. Chairman Kim Jong-un, he struck me as certainly used to being in charge, that's for sure. You could sense him bristle a little bit when there was a point of, if not disagreement, maybe just differing approaches to an issue during our discussions. You could feel the heat rise pretty quickly. This is the first of three meetings Steve would have with Kim Jong-un over the course of the coming eight months, an intense period of close-quarters diplomacy between the
Starting point is 00:30:19 the U.S. and North Korea. In that time, Steve got to know the North Korea leader better than most outside the secretive state. What do you think Kim Jong-un wants at the end of the day? I know this is the question you always get and it's the hardest question to answer. But after all of this, all that you've been through with this diplomacy
Starting point is 00:30:39 and even through what we're seeing right now, what would you say it is that he wants? In one sense, what he wants is everything. He wants all of the above. He wants to sustain his dynastic regime. He wants to maintain complete control over the country and his population. And he wants to retain his nuclear weapons. He wants it all. He wants to keep the weapons. He wants to get rid of the sanctions. But I say that in one sense, that's what he wants. Because in another sense, Gene, I think this is the central challenge we had diplomacy is he doesn't know really what he wants. Because if he really
Starting point is 00:31:21 knew what he wanted, he'd have to make some choices. This strikes me as a really important insight. The reason why I say I'm not sure Kim Jong-un knows exactly what he wants is because I think he kind of intuitively understands that a choice to open up to tourism, trade, to investment, to student exchanges, et cetera, et cetera, in essence, is a destruction. of the system. If you had all this, it was irreconcilable with a brutal totalitarian dictatorship. Kim Jong-un may not know what he wants, but he knows what he needs. Cash. That's why the record-breaking by-bit theft matters so much. It helps Kim avoid making tough choices between opening up his country to allow its economy to flourish and his desire
Starting point is 00:32:12 to acquire nuclear weapons. This one recent theft of $1.5 billion, that's 5% of GDP. 5% of North Korea's estimated entire annual economic output made in minutes in a single heist. If the Lazarus Group can keep hitting the jackpot, Kim can have it all. In one fell swoop, a $1.5 billion cyberheist wipes out a years worth of effort to put pressure on the North Korean economy. 5% of GDP and setting the effects of international sanctions back a year. Incredible.
Starting point is 00:32:54 Estimates for sure, but the scale is incredible. The Lazarus Group is now a major player in North Korea's economy. But how exactly did North Korea manage to steal so much from Bybit? Let's go back to that Friday night in Singapore. Bybitt's CEO and his team think they're moving 30,000 Ethereum from their offline vault to their online one. Instead, the Lazarus Group walk away with 401,000 Ethereum. Yeah, this is where it gets really interesting.
Starting point is 00:33:36 Warren Mercer again, the veteran Lazarus Group Hunter, an owner of Haydn's security. Warren dissects every big heist, reading the blockchain and the malicious code to learn what he can. Remember, in the hours after the heist, Bybit had two theories about what went wrong. Theory one, someone hacked Bybitt's computers.
Starting point is 00:33:58 Theory two, someone hacked the computers of those who made the digital vault that holds the money. At the time, there was no post-mortem, so no one knew exactly what had happened. The reality was Bybitt had been compromised. $1.5 billion was stolen. $1.5 billion was now transacting through the blockchain.
Starting point is 00:34:17 Warren's gut told him the problem was indeed at Bybit. When it happened, the immediate reaction was something was happening at Bybit. That then turned out to not be the case. That's why good investigators don't just go with their gut. They follow the facts. And they've traced the origins of the hack back a few weeks just before the late-night heist. On February 4th, North Korean hackers begin an attack on another company called SafeWallet. They're a big deal in digital wallets, electronic vaults for electronic valuables.
Starting point is 00:34:56 But Safe Wallet is not the main target. It's just a stepping stone. And the hackers have an eye on a single software developer, when a very few who has deep access to the company's systems. The hackers have registered a website, a share price platform, handy given SafeWallet's line of work. It appears legitimate. So they entice the Safe Wallet developer to click on it and download what looks like a share trading app onto their work computer. Big mistake.
Starting point is 00:35:30 Hidden inside is the hackers' virus. Malicious code rushes into the developer's computer. The hackers are in. and they can see everything the developer is doing on that machine. So the hacker was then able to gain an AWS user session token? What on earth is that? Think of that as a key card to SAFE's server room. So think of that as a privileged access to all of SAF's equipment.
Starting point is 00:35:58 You now have the keys to the kingdom. And that kingdom includes the computer code that controls ByBitt's offline vault, which, as we now know, contains the crypto equivalent of nearly one and a half billion dollars. What the attacker then did next was deploy a malicious JavaScript file. So think of this as a web page that you see, but with some hidden instructions in it. This is the technical bit. When they want to open Bybit's offline vault to make a transfer,
Starting point is 00:36:32 the CEO and his team each must confirm this. details of the transaction on their screens. The amount? 30,000 Ethereum. The destination? One of by-bit's online faults. The system's designed to be as secure as possible. Multiple staff have to agree to the transfer. It's like making a withdrawal from a joint bank account.
Starting point is 00:36:55 Each one of them sees the same thing on their screen. So they all agree to the transaction. They all click OK and the money moves. But what if what they see on the screen isn't real. That's the trick the hackers have pulled off. So everything that's displayed on screen looks correct. Everything you see is real and looks good, but the underlying transaction is completely not. So when Bybitt's employees call up the software, they're entering in the detail and saying,
Starting point is 00:37:23 I want to move this amount of money from here to here. In the background, the hackers can just change that. Yep. Fundamentally, that is exactly it. That is the simplest way to look at it. Like a magic trick behind the scenes. Literally it, yeah. It's the art of deception. The Lazarus Group didn't just break into the vault. They were rewriting reality. What Bybitts executives saw on their screen was a lie.
Starting point is 00:37:48 It is fiendishly clever. The Lazarus Group had hacked the very vault holding Bybitt's money and tricked Bybitt's executives into transferring that money directly into a North Korean wallet. It's a near-perfect digital crime. Safe Wallet says the Bybit Heist highlights the increasing sophistication of hackers and that the company is committed to establishing a new standard for security.
Starting point is 00:38:13 Almost six months on from the theft, only 5% has been frozen. Most of the money, by bit admits, has gone dark. In other words, it's truly gone, untraceable. Now, we should say, for all the allegations of billion-dollar thefts, the North Korean government has never admitted to being responsible for any illegal hacking. and has strenuously denied allegations that it runs a state-sponsored hacking program. The whole claim is a farce, North Korea's ambassador to London once told us. But this is more than a heist.
Starting point is 00:38:47 It's also a sign that North Korea's abilities are catching up with its ambitions. Back in 2016, the Lazarus Group had similarly lofty ambitions. Their target was to steal a billion dollars from the Bank of Bangladesh. In the end, they managed. less than 10% of that. And nearly a decade later, they've not only hit their billion-dollar target for the first time, they've blown it away. So the By-Bit heist signals just how much the Lazarus group has learned over the last decade
Starting point is 00:39:20 and what it's capable of. And that's what makes the next part of the story so unsettling. Because if its cyber army can evolve like this, what about its conventional army? In early 2025, while North Korea's cyber warriors are winning, its troops fighting in the cursed region of Russia are not. We, the North Korean POW is lying on his bunk in a Ukrainian prison with a blanket over him, telling South Korean journalist Chulwan Jung his experience of North Korean cooperation with Russia. So here, Rhee is explaining that as lower-ranking soldiers,
Starting point is 00:40:11 they had very little opportunity to interact with Russian soldiers. Everything was handled by their superiors, the ammunition, the supplies, the clothing. In fact, meeting Russian soldiers is Rui's first real interaction with foreigners of any kind. And on the brief occasions that he had to communicate with the Russians, He says he had to resort to a translation app on his phone. Chulwan, already alive to every detail, is now even more interested. This is what he's come to Kiev to hear about. Most of all, I was curious about the battlefield experience,
Starting point is 00:40:54 because before that, there were many reports about how the North Korean military is fighting in Kursk, and a lot said it is actually being used as cannon fodder. Rhee tells Chalwan he was deployed to Russia with about 2.5,000 other men. He says they took a train, then a plane, and then finally a bus. And he was told it was a training exercise. But early on the morning of January 5th, 2025, Rhee is ordered to join the Russian battle to drive out Ukrainian troops, which had taken control of Russian territory.
Starting point is 00:41:30 Rie was clearly shaken by the battlefield, experience. Every time he spoke about it, you could feel that every scene, every sound, even every smell was deeply embedded in his mind. And you could feel that he was experiencing this pain again by recalling those memories with me. The first wave of North Korean troops charge head on into the Ukrainian line and suffer heavy losses from drones and artillery fire. Rhee and two other soldiers try a different approach, go around the Ukrainians and attack from the rear. Then a drone spots them, too. Suddenly, artillery fire rains down and Rhee says his two comrades
Starting point is 00:42:14 are killed. Now, Rhee is alone. Scambling for cover, he fires at the drone, but misses. And the next thing he knows, a bullet rips through his arm and then shatters his jaw. He remembers losing so much blood and then passing out. We wakes hours later. It's dark. He's dizzy and weak. He tries to retrace his steps and runs into some soldiers. Thankfully for him, they're North Koreans. They bandage him up and settle into what they think is a safe spot. But then there's that sound of a drone again. Ukrainian troops have found them. Rhee and the other North Koreans run and again, Rie says a drone strike kills the men around him.
Starting point is 00:42:58 Rie somehow survives, but his arms are so badly wounded, He can't use them, and he has no weapons. So when a Ukrainian unit closes in on him, he has no way to resist. Rhee is just one of an estimated 11,000 North Korean soldiers sent to fight in Russia, part of a comprehensive strategic partnership signed between the two countries a year ago. And that partnership goes far beyond manpower. One estimate from April found that North Korea has shipped nearly 6 million shells and rockets to Russia.
Starting point is 00:43:34 Just staggering, but by January of this year, Western officials tell the BBC that the North Korean forces are suffering horrific casualties. They say around 1,000 men have died in the fighting, and a further 3,000 are thought to be wounded, missing or captured. If that's accurate, it means the North Korean contingent sent to fight for Russia has suffered casualties of almost 40%. It's a shocking and unsustainable rate. Chuluan Jung is much more relaxed on his trip home from Ukraine's high-security prison
Starting point is 00:44:13 than he was on the way there hours earlier. His interview with Rhee is a huge scoop. He's already thinking about how to write it up and he's thinking about what it means for the entire Korean peninsula. Some of what he's heard gives him hope. It's a fact, of course, that North Korea and South Korea are diametrically opposed from a political and military standpoint. But when we meet one-on-one, we can communicate.
Starting point is 00:44:45 And though there has been a 70-year division, we share cultural traditions. That human connection between two Koreans on opposite sides of the border is powerful. Perhaps conflict is not inevitable. But not everything Chilwan heard is so reassuring. We told him that members of North Korea's security services were embedded with the troops in Russia, not to fight, but to maintain ideological control. The North Korean secret police are constantly feeding them ideology. say things like, the drones you'll encounter here on the battlefield are not from Ukraine. They're
Starting point is 00:45:32 sent by the South Korean military. Ukraine has actually been making its own drones since the earliest days of the war. South Korea, on the other hand, has been deeply cautious about sending any military aid to Ukraine. But Rhee saw his comrades killed by drones. And if he and others believe South Korea was behind it, that fear and hatred could deepen. And there's something else that worries Cholwan, something military planners across the region are watching. In Russia and Ukraine,
Starting point is 00:46:07 North Korea's army is gaining real battlefield experience. It's learning particularly in one area. There are certainly many people in South Korea. who are very concerned about the experience and know-how that the North Koreans are gaining with drones and Kursk. Drones are now central to modern warfare. They are the Kalashnikovs of the sky. Cheap, accessible and devastating.
Starting point is 00:46:41 Knowing how to use and counter them is crucial for any army. North Korea's forces have been learning some deadly battlefield lessons in Russia. And that might not be all. In return for its troops and shells, the fear is that North Korea may be getting knowledge from Russia and not just battlefield tactics, but nuclear know-how. As we've covered on this podcast, North Korea already has missiles, and it has nuclear warheads. Putting the two together, making them work as one, is Kim Jong-un's holy grail, to which Russia, a long-standing nuclear power, may have.
Starting point is 00:47:21 the key. If North Korea is swapping its troops and missiles for Moscow's nuclear knowledge, now that is a devastatingly dangerous development. That's according to diplomat Steve Began. That's the number one issue that any of us should be concerned about. And that's why Russia's assistance to North Korea, if it in fact is helping them refine and improve their delivery systems, is actually a direct threat to the United States of America. Because North Korea certainly has intercontinental ballistic missiles, and it certainly has nuclear weapons. But mating those two together and then delivering them to a target is a complex undertaking. And if the Russians, again, are helping them figure that out, the Russians are doing something that poses a direct threat to the United States of Iraqa.
Starting point is 00:48:17 Steve says there's no hard evidence that's definitely happening. but the risk is real. There's something going on there. Could it be, is it possible? Instead, they're just teaching them horticultural skills in order to grow a better, more sustainable food supply for their people. It's possible. But I don't think that's the kind of thing that would move the needle for the North Korean regime.
Starting point is 00:48:38 North Korea is learning and evolving on the battlefield, in cyberspace, and possibly, behind the closed doors of its nuclear research labs. labs it can keep running thanks to the loot stolen by the Lazarus Group. Nevertheless, it's an evolution taking place within a regime built on fear. For its citizens, failing to help North Korea advance
Starting point is 00:49:02 can have fatal consequences. In my long conversation with Steve Began, there was one name I wanted to raise, a name both Steve and I know, Kim Hyuk-char. Kim Hyuk-Chol, are you serious? Yes, I'll show you some pictures. We need to have this conversation another time.
Starting point is 00:49:24 Steve wanted to talk about Kim Hyuk-ch-Chol right away. Yeah, so he had been the ambassador to Spain. Yes. Steve went over Kim Hyok-Chel's career. Veteran North Green diplomat with roles of varying public visibility. You know, I arranged to meet him in 2011 in New York. He was my counterpart when we were negotiating the opening. of the AP Bureau in Pyongyang. We spent a whole week together in New York.
Starting point is 00:49:54 And in 2019, he became Steve's counterpart, North Korea's lead negotiator in the talks with the U.S. That's right. Steve called him his doppelganger. They were of similar age and family background. Their big job was to sort of summit where their bosses, Donald Trump and Kim Jong-un, could meet and where Kim hoped he could strike some kind of a deal to lift the international sanctions on North Korea. The summit between the two leaders happened in Hanoi in Vietnam. We covered this in season two
Starting point is 00:50:25 in the episode Fire and Fury, but the deal did not. President Trump didn't feel like the summit was a failure. He felt like the gap was still too big. That's exactly the words he used with Chairman Kim in that we need to keep working at it. We need to keep our teams together and keep working. We'll get there.
Starting point is 00:50:43 The meeting didn't end in acrimony or, you know, doors slamming or people stomping out. It was warm handshakes and, you know, really great to see you. And then President Trump expressed willing and interest to see Chairman Kim again soon and so on. You know, it wasn't at least in our thinking the end of anything. But the North Koreans may have seen it differently. Steve says they went into a protracted period of silence. And that is an ominous sign.
Starting point is 00:51:12 And then came the rumors. Stories of people involved in the Hanoi summit being sent to re-education camps or to do menial work. Earlier this year, Steve was in Beijing speaking to a Chinese contact that he says is close to North Korean officials. And the source gave an update
Starting point is 00:51:29 on what happened to Kim Hyuk Chol after Hanoi. Upon the return to Pyongyang, he and two female interpreters had all been arrested, accused of various charges embarrassing the state, failing to
Starting point is 00:51:45 uphold the dignity of the nation. And there's some generic charges like this and that they were executed out by Pyong Gang International Airport. I think was by firing squad, they said. And that all foreign ministry officials above the director level were required to witness the execution. It's a brutal system. It is unforgiving.
Starting point is 00:52:09 Failure has to be borne by those other than the leader. It's sobering. You can hear it in Steve's voice. It's true. I have to say there are other versions of this story. Some say Kim Hyuk Chor is still alive, but no one has seen him in public in years. And in a regime built on fear, disappearing from view, sent its own kind of message. And it's not just diplomats. Even the Lazarus group won't be safe. Warren Mercer, who was struck by the real skill of the hackers in manipulating Bybitt's offline vault to steal $1.5 billion, has a sense of the pressure they're likely under.
Starting point is 00:52:49 There's a tell-tale clue in the hack. Two minutes and 1.5 billion away. In that two-minute period, they carried out a $90 test transaction. You have to think about it. I'm an operator sitting in deepest, darkest North Korea. I'm under a lot of pressure. We've got this big, big fish that we've just captured. I now need to make sure that we get the $1.5 billion to the infrastructure and wallet we control.
Starting point is 00:53:12 So I literally took the time to carry out a $90 test transfer. action. So the operator carrying out this attack had a little bit of fear as well in himself. He knew he couldn't mess this up. Can you imagine getting one of those digits wrong? Oh, the 1.5 billion went somewhere else. Somebody else has got it. It would have been a
Starting point is 00:53:29 scary payday. Particularly if your boss is Kim Jong-un as well, yeah. This is it. I mean, this guy or female who carried out this attack from an operator perspective, they see no benefit of this. They don't reap any benefit at all. The regime reaps the benefit. No glory, no reward, just pressure and fear.
Starting point is 00:53:55 Two days in February tell the whole story. The day before the billion-dollar bibet heist, Chewanzheng published his story about Rhee, the North Queen soldier, now being held as a prisoner of war in Ukraine. These two events reveal a North Korean regime more capable and dangerous than ever. While its army is getting battle ready, Lazarus Group hackers are proving more adept
Starting point is 00:54:22 and more technically advanced than any other cybercriminals in the world. With their help, Kim Jong-un is finding it easier to overcome efforts to control him through threats and international sanctions. He's becoming increasingly self-sufficient. The world may not be ready for what comes next.
Starting point is 00:54:46 No longer isolated. His is a regime unleashed. The Lazarus Heist is an original podcast from the BBC World Service. The producer of this episode is Neil Rousel. The editor is Richard Fenton-Smith. Our original music was composed by Magnus Fines and I-I-I-I-W from the South Korean band, Jambanai.
Starting point is 00:55:17 And as ever, we love your feedback. Keep leaving those ratings and reviews, and do subscribe so you don't miss out on future episodes. You can also spread the word on social media using the hashtag Lazarus Heist. We've been telling the story of the story of the Lazarus group. But hackers are found everywhere.
Starting point is 00:55:53 So, we're returning with a brand new season and a brand new story. Season three is coming soon. Follow or subscribe so you never miss an episode. Thank you.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.