A cautionary tale that involves North Korean hackers and lapses in crypto security. 

The New York Times reports on a fascinating and frightening story of the cryptocurrency exchange Bybit which lost $1.5 billion to North Korean hackers. It all happened last month when Ben Zhou, Bybit CEO, logged in to approve what seemed like a routine transaction. Within thirty minutes, his CFO called him with what the article says was “a trembling voice,” delivering the shocking news: “All of the Ethereum is gone.”

What unfolded was the largest heist in cryptocurrency history. North Korean-backed hackers, exploiting a security vulnerability in Bybit’s system, managed to steal the staggering amount in digital assets. This catastrophic breach sent shockwaves through the crypto markets. And it also exposed serious flaws in the industry’s approach to cybersecurity.

How did it happen?

The root cause of the breach is frighteningly simple: It lay in Bybit’s reliance on Safe, a widely used open-source storage tool. While Safe is popular among individual crypto users, it lacks the robust security needed for an exchange managing billions in assets. Hackers infiltrated Bybit by compromising a Safe developer’s computer and injecting malicious code.

When Zhou approved the seemingly legitimate transaction, the hackers seized control and transferred the funds to their own accounts. Crypto analysts quickly traced the theft to the Lazarus Group, a notorious North Korean hacking syndicate with a history of targeting financial institutions to fund illicit activities.

Could the attack have been prevented?

Many security experts argue that the attack was entirely preventable. The article indicates that Bybit had noticed compatibility issues with Safe months before the hack but failed to upgrade to more secure storage solutions. 

There actually are several preventative measures that could have mitigated the risk:

• Stronger security infrastructure: Bybit should have transitioned to enterprise-grade security solutions rather than relying on a tool designed for hobbyists.
• Enhanced transaction verification: Using a more secure approval process, such as multi-party computation (MPC) wallets, could have prevented a single compromised transaction from granting hackers full access.
• Regular security audits: Continuous monitoring and stress-testing of security systems would have identified vulnerabilities before they could be exploited.
• Mandatory transaction reviews: A thorough review process ensuring that all transactions are verified on secure devices would have helped prevent unauthorized transfers.

Proliferation Financing and North Korean cyber threats

The Bybit hack is more than just a cautionary tale for crypto security. It also highlights the growing threat of proliferation financing (PF). North Korea has long used cybercrime to fund its nuclear and weapons programs. The use of cryptocurrencies as both a tool for fundraising – such as via hacking exchanges or receipt of payments – as well as fund movement, has allowed North Korea to evade the traditional financial system in a new way that does not require a physical presence in the target countries. 

The Lazarus Group, responsible for this and previous crypto heists, launders stolen assets through a web of crypto wallets and exchanges, ultimately funneling funds into the country’s illicit activities. After the heist, venture investor Haseeb Qureshi, is quoted as saying, “Lazarus Group is on another level,” acknowledging the sophistication of the attack.

This incident further underscores the urgent need for stricter regulatory measures and improved cybersecurity standards to prevent bad actors from exploiting the digital asset ecosystem.

In fact, at least $316m of virtual assets was stolen by North Korea just in 2019-2020. Iran may have also launched a Central Bank Digital Currency to operate as part of an alternative financial system. Iran has also raised assets by mining digital currency.

A wake up call?

Will the Bybit hack serve as a wake-up call for the entire cryptocurrency industry? It’s clear that exchanges handling billions in assets must prioritize security and implement industry best practices to protect against cyber threats. And it’s becoming increasingly clear that the global financial community needs to work together to curb proliferation financing by closing loopholes that allow stolen crypto to fund terrorism and rogue states.

As digital currencies continue to evolve, so must the safeguards protecting them from falling into the wrong hands. Zhou is quoted as noting after the attack, “There’s a lot of regrets now… I should have paid more attention on this area.”

This heist also serves as a stark reminder of how easily a legitimate business can become entangled in proliferation financing. Bybit had no intention of facilitating illicit activity, yet its security lapse enabled North Korean hackers to siphon funds that will likely be used to support weapons development and terrorism. This demonstrates why companies, especially those in the financial and technology sectors, must proactively implement stringent security measures and robust compliance frameworks to prevent their platforms from being exploited by nefarious actors. Without such precautions, even well-meaning businesses can find themselves unintentionally contributing to global security threats.

Complacency in security is a direct invitation to disaster. As digital currencies continue to evolve, so must the safeguards protecting them from falling into the wrong hands.

Want a practical guide to the implementation of a proliferation financing programme? Download our free guide now.