Korea Criminals

Delayed Gratification is a magazine that uses the slowness of print as a way of returning to stories once the dust has settled. Rather than racing to be first, it takes its time and provides readers with the sort of context and thorough reporting that simply isn’t possible in the moment. Today’s story is a sort of ultra-delayed gratification, because it reports on the world’s biggest ever theft, which took place almost exactly a year ago, and which I’d completely missed until I came across it in the pages of the magazine.

On 21st February last year, Ben Zhou, co-founder of Dubai-based Bybit, the world’s second largest cryptocurrency exchange, logged on to transfer funds from one digital wallet to another. It should have been a routine transaction for Bybit’s CEO, but unbeknown to Zhou one of the company’s storage wallets had been infiltrated by malicious actors. When Zhou signed off on the transfer, instead of sending funds to another Bybit wallet, he unwittingly handed over 401,000 Ether tokens, worth $1.5 billion, to a group of North Korean hackers.

“It was an absolutely stunning attack, just an astonishing amount of money,” says Geoff White, an investigative journalist specialising in technology and cyber-crime. “It’s the biggest theft ever, not just in terms of hacking or a crypto heist. It’s the largest amount ever to be stolen from a single victim.”

In the crypto world, suspicion quickly fell on a band of North Korean hackers known as the Lazarus Group. “They have a reputation for pulling off audacious, high-value heists,” says White, who wrote a book and co-hosted a podcast called The Lazarus Heist, which looked at various hacks carried out by the group. “They got the name because when you try to destroy their viruses they seem to just keep coming back from the dead, like Saint Lazarus.” The hacker group also stands out from the rest of the crowd in another way. “The Lazarus Group, or TraderTraitor as they are being called by the FBI, is a shorthand for North Korean government hackers,” explains White. “These are full-time state employees with all the resources of state-backed hackers… Now of course any nation worth its salt has hackers, but other countries’ hackers aren’t being accused of stealing more than a billion dollars in crypto.”

The Bybit heist isn’t the Lazarus Group’s first rodeo. Over the last ten years, North Korea has been accused of carrying out numerous for-profit hacks. A report by Chain Analysis, a cryptocurrency compliance and investigation company, found that North Korean hackers stole $1.3 billion in crypto in 2024, up from $660 million in 2023.

Yet despite the huge sums involved White says relatively little attention has been paid to the Bybit heist by the media and public. “I think the reason for this is that people think that cryptocurrency is ‘funny money’ and the only people affected are spivs and speculators, so it doesn’t really matter because it’s not real money,” he says. “But that’s not the case anymore, crypto is no longer a niche game.” In the UK 12 percent of people own crypto and in the US more than 20 percent do. Additionally, pension funds in both countries are also starting to dabble in crypto, particularly Bitcoin and Ether, meaning that hundreds of thousands of people may have a stake in digital currency without even being aware of it.

People should also be concerned with what the stolen crypto is being used for, warns White. North Korea is under the world’s harshest sanction regime, imposed in a bid to force the country to end its nuclear and ballistic missile development programme. At least some of the bounty undoubtedly gets spent on these weapons, says White: “The crypto gets converted into real money and that is used to finance nuclear technology and information, missile parts and so on… and that has the potential to destabilise the region and indeed the world.”

North Korea’s pariah state status, as well as the huge dividends paid by the heists, make it hard to deter its use of for-profit hacks. “North Korea is desperate for revenue. It’s under so many sanctions, it’s hard to see what there is left that could be further sanctioned. North Korea can’t access international banking systems and it basically can’t trade,” says White. “The UK or US government can accuse North Korea of carrying out these hacks. The FBI have even named real North Korean individuals in indictments. But what are they actually going to do about it? They can’t arrest these people. There is nothing left to sanction and that’s why, I think, North Korea can carry out these hacks so brazenly – it doesn’t have much left to lose.”

With governments unable to do much more to stop North Korea from carrying out hacks, the onus is on companies to beef up their cybersecurity. “Cryptocurrency companies are particularly vulnerable because a lot of what they do is on public display,” says White. “With Bybit, for example, you can look at its internal wallets and you can see the balance and the transaction amounts that are going in and out. It’s very different from a regular bank or currency exchange which, of course, don’t have a real-time video of their vaults showing all the currency and gold in them. The reason crypto companies do this is because there’s a lot of BS in the crypto world so they want to reassure customers. Bybit can say: ‘Look, check our wallet, there’s billions in there, you can see it, we’re legit!’ But it’s also a big advantage for hackers. They can see which wallets make big transfers. They just need to figure out how to get in.”

In the case of Bybit, although the company’s funds were the target, the hackers actually attacked Safe Wallet, a third-party storage platform being used by the crypto exchange. “They [the hackers] found software developers working at Safe, you can find this just by searching LinkedIn, and they managed to trick one into downloading what they thought was a trading app. That was all it took.” The app was in fact malicious software allowing the hackers to access the employee’s work laptop and to recode Safe’s software. As a result when Zhou and Bybit’s other co-signers logged on to approve the $1.5 billion transaction via Safe everything looked normal at their end, but behind the scenes the hackers had hijacked the code to redirect the transfer.

Stealing the money is only half of the job, however. “The big challenge that anyone faces when they make big amounts of money out of organised crime is what to do with it,” says White. “Where do you go with $1.5 billion worth of hot crypto? You can’t just go to a legit, normal exchange.” Moreover, because the movement of crypto is visible via blockchain, a publicly available ledger, it’s easy to track. “It’s like having fluorescent bank notes that are visible from outer space,” White says. “So what the hackers did with the Bybit haul is subdivide it and send it out to multiple wallets and then send it back to a few wallets and this process was repeated over and over. Because cryptocurrency is virtual you can break it into smaller and smaller fragments unlike physical money where there is a lowest value note or coin,” says White. “The idea here isn’t to make the crypto untraceable, because crypto is always traceable, but rather to make tracking it such an arduous task that it is virtually impossible to trace it, to flummox investigators by overwhelming them with leads.”

Although Bybit offered ten percent reward money to crypto bounty hunters who tracked down and reported the stolen funds, to date only around $40 million – less than three percent of the stolen amount – is believed to have been located and frozen. Another $300 million has already ‘gone dark’, meaning it has been converted to unrecoverable funds.

“The vast majority of this money, about $1.2 billion, is still out there in the wild, gradually being sold off,” says White. “In a way it’s kind of a dissatisfying ending. I mean what you really want is the closing shot with Kim Jong-Un rolling around in a bed of bank notes or whatever. But the truth is that it gets very, very gradually washed in lots and lots of tiny transactions… Maybe it’ll take two years and maybe they only get back $700 million or $800 million, I don’t know exactly, but it’s still a ton of money.”

Meanwhile experts warn that the Lazarus Group’s hacks are only becoming more audacious. “With a single hack, North Korea has taken more than the total amount they stole last year,” says White. “They’ve surpassed the billion-dollar threshold.... What this shows is that they are not only able to pull off these thefts but they’re on an upward trajectory, there’s an evolution in how much money they are able to get away with. If this continues how much will they be making ten years from now? Tens of billions? Hundreds of billions?”

Delayed Gratification is the world’s first slow journalism magazine. It’s a beautiful quarterly publication which revisits the events of the last three months to offer in-depth, independent journalism in an increasingly frantic world.

Harriet Salem is the editor-at-large for Delayed Gratification magazine. She has more than a decade of experience reporting from Africa, the Middle East and Europe. These days Harriet focuses on long-form writing, covering topics ranging from farmed rhinos, to the mob secrets being revealed by climate change in Nevada. You can see more of Harriet’s stories on the Delayed Gratification blog.

Oliver Li is a Shanghai-born illustrator based in the UK. A graduate of the University of Plymouth, he works across editorial, advertising, and publishing. His favourite topics include nature, food, community, science, and technology, rendered in vibrant, emotive visuals that blend warmth with soft, thoughtful details.

Did you enjoy this story? Would you like to help us keep on searching out great storytelling from independent publishers? If you can afford it, please consider paying £5 per month to support The Mortar, so we can pay all our writers and illustrators a fair rate for their work.