North Korean Hacker Group Lazarus Continues to Astound Investigators After Bybit Hack

Arkha, a blockchain analytics platform, found that Lazarus converted the stolen ETH into Bitcoin, after the Bybit hack.

A whopping $1.4 billion was stolen by the North Korean hacker group, Lazarus, in one of the largest cryptocurrency heists in history. The group has become a major sovereign bitcoin holder, ranking third after the US and UK.

The massive haul began with the theft of $800 million from cryptocurrency exchange, Bybit, and later expanded with the acquisition of meme coins through Solana-based Pump.fun, aiming to launder the stolen assets.

According to blockchain analytics platform, Arkham, the hackers converted the stolen ETH into BTC, currently holding 13,562 BTC, valued at approximately $1.12 billion.

Moreover, the hackers used a decentralized exchange, THORChain, which does not require any identity verification, to further obfuscate the stolen assets.

The group's main target was the Node Package Manager (NPM) ecosystem, where they embedded a Malware named "BeaverTail" in packages to mimic their real counterparts using typosquatting techniques to deceive developers.

The integrated malware was designed to steal sensitive data, including credentials and cryptocurrency, and install backdoors, granting persistent access to the compromised systems.

Furthermore, Lazarus Group is known for its sophisticated financial maneuvering, which is evident in their ability to navigate international sanctions effectively.

The North Korean regime is reported to be facing severe economic hardship, with citizens enduring food shortages and energy crises. To mitigate these challenges, the regime has become increasingly reliant on cybercrime to generate revenue.

As reported by TronWeekly, the hackers' main target was the Node Package Manager (NPM) ecosystem, which housed many important JavaScript libraries. They embedded a Malware named "BeaverTail" in packages to mimic their real counterparts using typosquatting techniques to fool developers.

"Lazarus hits npm again. Six new malicious packages target developers, stealing credentials and deploying backdoors."

Lazarus Group’s Evolving Cyber Tactics

After the attack, the group even tried to hide the stolen assets through different methods, including using THORChain, a decentralized exchange that does not need any identity verification.

Broadening their attack, Lazarus also launched fake meme coins through Solana-based Pump.fun. Cyber experts have observed how cybercriminals utilized the platform to cover up the source of their stolen money. The exchanged funds were then moved to different exchanges, which makes tracking and detection increasingly challenging.

Noted crypto investigator ZachXBT retained undisclosed to prevent interference, however, ZachXBT validated the release of wallets from analytics tools.