Opinion
North Korean hackers just pulled off the biggest crypto heist ever. It won’t be the last.
The Lazarus Group stole $1.5 billion from Bybit—highlighting a systemic failure in digital asset security.
This past weekend, we experienced what’s estimated to be the largest crypto heist in history: Bybit, a major cryptocurrency exchange, was hacked to the tune of $1.5 billion in digital assets. The attack, in which the funds were stolen from a cold wallet, has been linked to the Lazarus Group, a hacker group made up of an unknown number of individuals, allegedly run by the North Korean government, known for cyberattacks that directly fund the North Korean regime. This breach marks a significant escalation, surpassing the combined scale of all their attacks in 2024.
A recent cybersecurity conference in the U.S. unveiled new and highly creative attack methods used by these state-sponsored hackers, who have successfully stolen billions in crypto to fund North Korea’s activities. Their tactics include deploying malware, taking control of organizational systems, and impersonating venture capital firms, corporate recruiters, and IT job seekers.
Their systematic approach uncovered the pattern: When posing as VC firms, hackers would send a faulty video call link to companies. When the link failed, they would pressure their targets to download a “correction file”—malware granting internal systems access. When impersonating tech recruiters, they tricked job candidates into downloading infected test assignments, which allowed them to compromise the candidates’ crypto wallets. According to a Microsoft report, these tactics enabled the hackers to steal over $10 million in crypto in just a few months.
Even before this weekend’s massive Bybit heist, North Korean hackers had already stolen $1.3 Billion worth of assets in 2024, accounting for over half of all digital assets stolen that year ($2.2 billion). They were also behind one of the year’s biggest crypto hacks: the July 2024 attack on WazirX, one of India’s largest crypto exchanges, in which $235 million of digital assets were stolen. The FBI and the UN estimate that between 2017-2024, North Korean hackers have stolen approximately $3 billion in crypto, funding the country’s military programs, including nuclear weapons development, as stolen funds account for over 50% of the nuclear development costs.
Just like in any other industry, most cyberattacks in crypto begin with phishing. User-based attacks are where an actual person is the source of the compromise, either through human error or a malicious insider. Phishing and social engineering attacks aim to access internal systems by compromising a specific person or group. Strong hacking groups, like Lazarus, can spend a significant amount of time learning about their targets, thoroughly understanding the organization or company, and developing techniques to mislead employees.
Once access is gained, attackers target transaction approval mechanisms—a critical security layer in crypto wallets.
The signing mechanism, which is the backbone of crypto security, can often become its Achilles’ heel: An attacker can intervene in many parts of transaction signing, from the physical machines of the signer to the wallet’s server, to the network between. Attackers can sign unauthorized transactions and drain wallets. Additionally, threats can often emerge from external infrastructure systems, such as smart contracts, oracles, or even external vendors, whether through vulnerable third-party services or inside threats from rogue employees.
Whether managing digital assets in banks, financial institutions, or crypto exchanges, organizations must implement robust security mechanisms to safeguard their holdings. The following are essential measures to prevent breaches and mitigate risk:
• Develop a strong SecOps system: Integrating security protocols within the daily exchange workflows ensures that all system components—applications, servers, and networks—are continuously monitored and protected. Implementing real-time alerts for vulnerabilities and suspicious behavior allows for rapid response to threats. Automated security technologies, such as SIEM (Security Information and Event Management), can dramatically improve detection and response capabilities.
• Employee Training on Phishing and Social Engineering: Employees are any organization’s first line of defense. Continuous security training—including simulated phishing attacks—helps identify vulnerabilities in human behavior. Fostering a culture of security awareness reduces the risk of breaches caused by human error.
• Split responsibility for transaction approvals, wallet creation, and admin amongst multiple independent parties, with strong governance policies to enforce this: One of the most effective security measures is separating key responsibilities to minimize risk exposure. No single individual should have full access to critical systems. Multi-signature (multi-sig) technology ensures that transactions require multiple approvals from independent parties, adding an extra layer of security.
• Implementing Strong Access Control Policies: Organizations should enforce the least privileged access—ensuring that employees only have the minimum level of access necessary for their role. Multi-factor authentication (MFA) should be required for all users, with additional layers of biometric or hardware-based authentication for particularly sensitive operations.
• Utilizing Cold Storage: Cold wallets keep crypto assets offline, making them inaccessible to remote attackers. This approach is particularly valuable for assets that do not require frequent transactions. Periodic audits help verify that stored assets remain secure and uncompromised.
Crypto exchanges remain a prime target for cybercriminals, and attack methods to continue to evolve. Staying ahead of these threats requires a combination of advanced security technologies, continuous education, and strict adherence to security practices at every stage of digital asset management. While threats are real, a global, collaborative effort and proactive security measures can make the crypto industry safer for users and institutions.
We expect top levels of security from all banks, pension funds, and any financial institution that manages our financial assets. The same standard must apply to digital asset platforms—whether they are crypto exchanges or banks facilitating digital asset custody, especially as their popularity is growing among mainstream audiences and governments. Cybercriminals are becoming increasingly sophisticated, and the value of crypto holdings continues to rise as public trust in digital assets grows. Cybersecurity companies in this space face the same challenges and serve the same critical mission as traditional cybersecurity firms—but in an environment that evolves exponentially faster.
Shahar Madar is VP of Security & Trust at Fireblocks.
