Why do the world’s largest crypto hacks always go back to the park? From Sony to Bibit, how has it completed the cyber theft of billion-dollar?
Lazarar attacks again
In a shocking incident on 21 February, a major cryptocurrency exchange, baibit, a major cyber attack, located in Dubai, fell victim to a large -scale cyber attack.
Hackers managed to infiltrate the company’s Etharium (Eth) cold wallet, which shut down in digital assets with about $ 1.5 billion. This incident is now considered to be the biggest successor in the history of Crypto.
Brech was first identified by on-chain analysts ZachxBT, who paid attention to unusual withdrawal from bybit accounts.
Bibit CEO, Ben Zhou, later Confirmed The attackers manipulated a transaction, cheating the wallet signators to approve the transfer to an unauthorized address.
The refined method included masking to make the transaction valid, ignoring the multi-signed security protocol in the place.
Later, the blockchain investigators have Joined together Attack for North Korea’s notorious Lazarus Group, a collective notorious to orchestrate important cyber warists, including $ 600 million Ronin Network Brech in 2022 and $ 234 million Wazirx hack in 2024.
Emerging reports suggest that a member of the Lazarus Group can be the mastermind behind the park gin Hawbit Hack.
Hawk is not a new name in the cybercrime world. In 2018, the FBI issued a desired notice for him, accusing him of being part of the North Korean state-provided hacking organization, which was responsible for some of the most harmful computer infiltration in history.
Let us, Park Jin Hawk’s depth in the background, the operation of the Lazarus Group, facing the allegations that they have faced in the past, and their history of Hacks related to Crypto over the years.
A hacker raised by the state
Allegedly supported by the North Korean government, some of the most devastating cyber attacks in history have targeted some of the worldwide financial institutions and important infrastructure.
But behind the group’s faceless operation, a name has been repeatedly revealed-Hawk, a North Korean programmer, accused of leading some of the most high-profile cyber heirs of the last decade.
The group’s initial attacks were focused on espionage, collecting intelligence from military and corporate institutions. Over time, however, the group turned to financial offenses, repaying billions from banks, crypto exchanges and other digital financial platforms.
An significant change in this development came with the emergence of Bluenoroff, a Lazarus Subdivision, which is expected in the financial cyber attack, first Identified Cyber security firm by Kascsky Lab.
Researchers linked several high-profile hacks with Bluenoroff, even exposed a direct IP connection to North Korea. At the same time, he warned that some patterns may be deliberately wrong – false flags designed to frame Pyongyang.
However, Hyok is not a fabricated identity. Despite the insistence of North Korea that he is not present, he is very real, with a well documented History Lazor and the cyber war system of the country.
Hawk, a graduate of the Kim Czech University of Technology in Pyongyang, started his career at the Chosun Expo, a government -linked IT company working in both North Korea and China.
It is believed that this company is considered a front for state-proposed cyber operations, this company has worked to execute cyber attack under the instructions of North Korea’s military intelligence unit, Lab 110, a recruitment ground for elite programmers Worked as
Hyok’s name first entered the international spotlight after the infamous Sony Pictures Hack in 2014.
attackIn vengeance for sarcastic film interviews, crippled Sony’s internal network, leaked large amounts of sensitive data, and caused an estimated $ 35 million loss.
But this was 2017 Wannacry Rainmware Urgency This strengthened both Lazarus and Hawk’s reputation as cyber criminal mastermind.
Malware encrypted data on infected computers and demanded crypto payment for decryption keys, wreaking havoc globally.
The impact of the attack was frightening, yet North Korea refused to participate despite heavy evidence to join Lazarus.
Since then, the group’s strategy has developed, the Crypto has been more aggressively moving towards theft – a strategy that has been aligned with North Korea’s increasing dependence on illegal financial operations to avoid North Korea’s international sanctions. .
Create a cyber criminal legend
In the Crypto Crime, the group’s Forest attracted extensive attention in 2017 – the same year the park was first recognized as a prominent person in Lazarus.
That year, a range of cyber attacks on South Korean exchanges provoked millions of people from trading platforms, including now-deformed Youbit, which was which was Compelled In bankruptcy after losing 17% of his property in the same violation.
Then, in 2018, the group performed $ 530 million Theft From the Japanese Exchange Coinchec, the largest crypto heir at that time.
Investigators connected the attack to North Korean operators, who used a mixture of fishing operations, social engineering and sophisticated malware to infiltrate Coinchec’s network.
Hyok’s expertise played an important role in developing malicious software and preparing misleading digital identity, allowing the attackers to gain access to private keys in large amounts of Neem tokens.
As his strategy became more sophisticated, Lazarus moved directly to target the blockchain network.
2022 Ronin (Ron) Network Breach, one of the most harmful in Crypto history, saw $ 600 million from Axi Infinity (AXS) through a carefully planned social engineering attack.
Hackers took advantage of a weakness in Ronin’s verification system, in which an agreement was used to authorize fraudulent transactions – an attack containing intensive technical knowledge, patience and accuracy, all hallmarks of expertise of the park required all hallmarks .
US officials later confirmed that the stolen amount was robbed through various decentralized protocols before being funnel in North Korea’s financial system.
This trend continued in 2023 and 2024, striking again with Lazarus.
In July 2024, one of India’s biggest exchange, Wazirux suffered a loss of $ 234 million in another case of multi-layered deception.
The attackers exploited weaknesses in the API permissions of the exchange, bypassing the internal security trigger and gained unauthorized access to the fund transfer.
Blockchain forensic teams discovered the stolen property through a maze of mixing services, with digital breadcrumbs to North Korea once again.
And now, Bybit Hack has revived the same pattern – this time even more massive.
The world is losing cyber war – and Hawk knows it
Cyber Warfare of the Lazarus Group has developed in a well orchestrated playbook that mixes deception, infiltration and accurate laundering.
His ability to make human psychology weapons has been one of their most valented benefits, allowing them to also bypass the most sophisticated safety measures. And as recent data shows, they are getting more efficient in their craft only.
According For Channelis, hackers associated with North Korea stole $ 660.50 million in 2023 in 2023.
In 2024, the number was stolen by $ 1.34 billion in 47 incidents, increasing by more than 102%. These figures are for 61% of all cryptos that year, and the Lazarus Group was responsible for almost all massive feats above $ 100 million.
Now, in just two months of 2025, they have already crossed their 2024 clan, with Bibit hack alone $ 1.5 billion.
The operation of the group begins long before a violation. Over the years, North Korean IT workers have systematically embedded themselves in crypto and web 3 companies, using remote job opportunities to achieve access to fake identity, third-party recruitments and internal formulas.
US justice department in 2024 Prosecution 14 North Korean citizens who had employed in American firms, by misusing ownership information and exploiting their positions, stolen more than $ 88 million.
These operators act as silent internal formulas, providing Lazarus with intelligence information on exchange security protocols, wallet structures, and internal transaction flows.
Once embedded, Lazarus executes its attacks through social engineering, phishing and technical exploits. Employees are targeted with carefully designed emails, which apply reliable institutions to extract sensitive login credentials.
Bybit Hack followed a uniform pattern, where the attackers cheated multi-dignitaries of the exchange to authorize malicious transactions by disregarding multi-stagnation of exchange as regular approval.
Once the funds are stolen, they are quickly transferred through a network of decentralized exchanges, tornado cash (torn), and cross-chain bridges through privacy purse.
These transactions rapidly change assets in various blockchains, making it difficult for investigators to trace them back to their original source.
Typically, stolen crypto is converted several times between bitcoins (BTCs), atherium, and stabecoin, which eventually occurs before reaching a wallet controlled by North Korean operators.
Some of these assets seem to be funnel through legitimate crypto trading firms, their origin is carried forward and allows regime to convert digital assets into a difficult currency – a important for international restrictions Work -round.
And through all this, the park stands at the center of almost every major Lazarus operation. Whether he is the architect of these successors or one of his most skilled operators, his fingers are everywhere.
Refuying the playbook with Bybit Attack, the real question is not how they pulled it – but how long the world can keep before disappearing in the next billion digital void.
