North Korea Hackers Steal $1.5
bn Crypto
The Bybit hack
represented a new high-water mark for the Lazarus Group, ushering in a
dangerous new era for Asia’s digital finance ecosystem
Bybit Hack
& Asia’s Growing Cybercrime Threat
The
Incident
·
Date & Scale: On Feb.
21, 2025, hackers stole nearly US$1.5 billion from Bybit
— ~70% of all global stolen digital assets in H1 2025.
·
Perpetrators: Likely North Korea’s Lazarus
Group, a state-sponsored hacking collective.
·
Significance: Marks a leap in technical
sophistication and global reach of North Korean cyber operations.
Implications
·
Funds believed to finance North Korea’s arms and
nuclear programs, raising international security concerns.
·
Demonstrates vulnerabilities in Asia’s digital and
crypto ecosystems.
·
North Korea increasingly relies on crypto theft due
to sanctions choking other revenue streams.
Regional
Cybercrime Trends
·
Hotspots: Cambodia, Myanmar, Laos — hubs
for scams, money laundering, and illicit crypto flows.
·
Stats: Global illicit cyber
transactions in 2024 reached US$51B.
·
Rise in “wrench attacks” — physical
violence/kidnapping to force victims to hand over crypto.
Notable
Past Cases
·
2016 Bangladesh Bank heist (US$81M
stolen).
·
2024 WazirX breach (US$235M
stolen, led to closure).
Escalating
Threat
·
2025 pace of losses: US$2B stolen in 142 days,
faster than any previous year; could exceed US$4.3B by year-end.
·
Bitcoin theft is surging as asset values hit record
highs (BTC > US$123,000).
Defensive
Measures & Challenges
·
Tech tools: Blockchain analytics, real-time
monitoring, AI for scam detection.
·
Barriers: Political protection of
criminals in some states, cross-border laundering networks, lack of coordinated
enforcement.
·
Risks: Potential regulatory backlash
could stifle crypto innovation.
Recommended
Actions
·
Stronger regional & international cooperation.
·
Joint intelligence-sharing and harmonised
regulations.
·
Targeted sanctions and “harm minimisation”
strategies.
·
Complement AI tools with human intelligence and
policy reforms.
It
began, as so many epochal crimes do, with a single breach. But by the time the dust
had settled on the Bybit hack, nearly US$1.5 billion in
digital assets had vanished, exposing not just the vulnerabilities of Asia’s fledgling
crypto markets but the growing reach of North Korea’s cyber operatives.
The
hack on February 21 represented a quantum leap in the scale and sophistication of
cyber operations emanating from North Korea, according to a report released last
month by American blockchain analysis firm Chainalysis.
It
accounted for nearly 70 per cent of all stolen digital assets globally in the first
half of 2025 – laying bare the widening security cracks in Asia’s digital ecosystem
and signalling the arrival of a new era of cybercrime that is increasingly targeting
victims around the globe, from Bybit’s Dubai headquarters
to the United States and beyond.
Last
year, North Korea-linked cybercriminals were responsible for an estimated US$1.3
billion in losses, then the highest figure on record. But this year is shaping up
to be even worse for the victims, with Pyongyang’s state-sponsored hackers on track
to reap even greater illicit rewards, according to the Chainalysis
report.
Experts
warn that the sheer size of the Bybit heist is not the
most alarming element. The degree of technical proficiency, coupled with clear signs
of state involvement, have raised concerns that the stolen funds are being funnelled
directly into North Korea’s arms and weapons programmes, fuelling instability far
beyond the digital realm.
“While
North Korea typically doesn’t claim responsibility for these cyber exploits, extensive
evidence has linked them to sophisticated hacking groups like the Lazarus Group,”
Diederik van Wersch, regional
director for Asean at Chainalysis,
told This Week in Asia.
The
Lazarus Group, a shadowy collective of state-sponsored cybercriminals infamous for
siphoning off billions from the cryptocurrency industry, is thought to be behind
the Bybit hack. The group’s modus operandi? Exploiting
security vulnerabilities in order to finance the North Korean regime by employing
complex laundering methods to obscure the trail of stolen funds.
“These
aren’t merely cybersecurity incidents, they represent significant national security
concerns,” van Wersch warned. “The UN has confirmed that
North Korea uses these stolen funds to finance its weapons programmes, making these
attacks a direct threat to international security.”
The
United States and its allies have repeatedly accused Pyongyang of using cyberattacks
to fund its military and nuclear ambitions.
Pyongyang
has never officially acknowledged any connection to the Lazarus Group, but it is
believed to be unique in its state-directed quest for financial gain through hacking.
Its operations, which include advanced social engineering and the infiltration of
crypto platforms via compromised IT staff, have set a new standard for financial
cybercrime.
Asia:
cybercrime epicentre?
The
dangers are not confined to any one country. Southeast Asia – Cambodia, Myanmar
and Laos, in particular – has now become a global hub for cybercrime, cybersecurity
experts say, driven by a toxic mix of weak rule of law, authoritarian protection
and economic desperation.
International
sanctions and the closure of criminal platforms such as Russia’s Garantex and Cambodia-based Huione
Guarantee have barely made a dent in the volume of illicit cyber transactions, which
Chainalysis estimates hit US$51 billion worldwide in 2024
alone.
Against
this backdrop, North Korea’s relentless focus on cryptocurrency theft had been propelled
by US-led sanctions strangling its other revenue streams, said Anndy Lian, a Singapore-based
intergovernmental blockchain adviser.
“It
seems likely that this phenomenon could inspire other countries, particularly those
facing political instability or sanctions, to engage in similar activities,” he
said. “However, replicating North Korea’s capabilities requires significant investment
in cyber infrastructure and expertise, which may be challenging.”
Research
suggests that while North Korea leverages a mixture of services to launder its gains,
other nations that lack its technical sophistication would indeed struggle to emulate
its success.
The
technical prowess of Pyongyang’s hackers was now such that it allowed them to “target
even well-versed cybersecurity professionals”, Lian said, adding that their increasingly
elaborate laundering networks complicated the recovery of stolen assets.
In
Asia’s other cybercrime hotspots, such as Myanmar and Cambodia, the focus has tended
to be more on scamming and money laundering, but this threat matrix now appears
to be evolving.
According
to Chainalysis, 2025 has seen a marked expansion of cybercriminal
activities: more laundering, larger cross-border networks and a disturbing rise
in physical violence.
‘Wrench
attacks’
For
the hackers’ victims the pain can be both financial and physical. Chainalysis in its report described a “particularly disturbing
subset” of recent thefts known as “wrench attacks”.
Far
less sophisticated than the image of an invisible hand picking the digital pockets
of unsuspecting crypto adopters, these actual assaults rely on violence and threats
of force to extract assets from victims.
The
kidnapping and murder of Chinese-Filipino tycoon Anson Que, former CEO of Ellison
Steel, earlier this year provided a chilling example of these so-called wrench attacks
in action. Investigators believe his death was linked to ransom payments laundered
through casino gaming and digital shell accounts to obscure the money trail.
Meanwhile,
Asia’s digital boom has in many ways made it a magnet for cybercriminals. Japan,
Indonesia and South Korea now rank among the world’s leading victims of stolen digital
funds, reflecting not only their increasing adoption of crypto but also their exposure
to North Korean hackers – with the infamous 2016 Bank of Bangladesh cyber heist
being an early and illuminating case in point.
That
US$81 million theft from the bank’s account at the Federal Reserve Bank of New York
was one of the largest cyber heists ever recorded at the time. The attack, attributed
to the Lazarus Group, was ultimately traced back to servers in the Philippines,
where much of the stolen money was laundered through casinos.
A
decade on and the “velocity and consistency” continues to grow exponentially, Chainalysis warns. It took hackers just 142 days this year to
surpass the US$2 billion mark in global losses, compared to 214 days in 2022. At
this rate, total losses could exceed US$4.3 billion by year’s end, the report warned.
The
soaring prices of cryptocurrencies and other digital tokens have only made things
worse. Bitcoin, for example, hit an all-time high of more than US$123,000 last month,
buoyed in part by favourable signals from US President Donald Trump’s administration
and a growing global appetite for crypto assets.
Chainalysis data shows that attackers are now deliberately
targeting high-value individual wallets, with bitcoin theft accounting for a disproportionate
share of losses. As asset values rise, the incentive for thieves grows ever larger.
“The
current crypto market momentum also presents increased opportunities for attackers,”
van Wersch said, adding that the liquidity and cross-border
nature of digital tokens made them especially attractive targets.
Experts
warn that advanced economies such as South Korea and Japan are especially exposed
to hacks due to their proximity to North Korean actors and their thriving crypto
markets, while emerging economies like Indonesia are also at risk as digital finance
gains in popularity.
“Geopolitical
tensions may motivate North Korea to target these nations, as seen in reports linking
attacks to historical adversaries,” Lian said of Japan and South Korea.
Building
smarter defences
Amid
the surge in cybercrime, there are signs of hope. Advances in tracing cryptocurrency
transactions now allow for near-instant tracking of funds and the transparency of
blockchain technology provides some measure of visibility into illicit flows.
“As
jurisdictions like Hong Kong move forward with progressive stablecoin
legislation, the focus should be on building robust security alongside innovation,”
van Wersch said.
“The
key is implementing sophisticated real-time threat monitoring systems and leveraging
advanced blockchain analytics that can help prevent attacks before they occur.”
Real-time
monitoring and predictive technologies are set to become indispensable, as hackers probe for vulnerabilities across the region’s digital
infrastructure. Crypto exchanges, in turn, must demonstrate to regulators and users
alike that they can safeguard funds against increasingly resourceful adversaries,
according to van Wersch.
Jake
Sims, founding partner of Operation Shamrock – a global coalition working to disrupt
Southeast Asian cybercrime networks – stressed the complexity of taking on state-linked
actors, as well as the risks of financial contagion.
“The
use of crypto for laundering cyber-scam proceeds certainly erodes public and regulatory
confidence in digital assets,” he said. “Unresolved enforcement gaps in Southeast
Asia risk contaminating broader digital finance ecosystems.”
Earlier
this year, Hong Kong was ranked as the second-most crypto-friendly city in the world,
behind only the Slovenian capital of Ljubljana, by migration platform Multipolitan.
Regional
rival Singapore, meanwhile, was recently named as one of the most crypto-obsessed
countries globally, after research from digital asset exchanges ApeX Protocol and Taurex found nearly
one in four Singaporeans owned cryptocurrency in 2024.
Recent
high-profile attacks have exposed the urgency with which robust defences need to
be built. In July last year, US$235 million was stolen from Indian crypto exchange
WazirX by North Korean hackers masquerading as legitimate
users – a breach that ultimately led to the closure of the platform and a restructuring
plan by its Singapore-based parent Zettai.
Lian
said such incidents had exposed persistent weaknesses in the security of even major
exchanges and risked provoking a regulatory backlash that could stifle digital innovation.
Hong
Kong, which has spent years steadily building a regulatory framework for virtual
assets, has so far licensed 10 virtual asset trading platforms including New York-based
Bullish, which in February became the first international crypto exchange to gain
approval in the city.
Experts
are now calling for regional and international cooperation, from establishing intelligence-sharing
platforms to harmonising cryptocurrency regulation, to help reduce risks.
Joint
efforts under the aegis of the United Nations might exert much-needed diplomatic
pressure, Lian suggested, while targeted sanctions could help stem the tide of cyber crimes.
A
“harm minimisation approach” targeting revenue streams and increasing reputational
costs and legal expenses for jurisdictions that host cybercriminals was another
option, Sims said.
Regulators
needed to strengthen both domestic security and cross-border collaboration, he argued,
possibly through task forces operating outside the Association of Southeast Asian
Nations.
“A
subregional task force outside formal Asean structures may actually be more effective for constraining
harms emerging in high-risk contexts, like Cambodia where political will is lacking,”
Sims said.
Despite
differing international treatment, Sims said that North Korea and Cambodia shared
“significant similarities … in terms of the degree of consolidated coercive power,
the degree of state involvement in criminal activity, and the global reach of state-embedded
criminal industries”.
Amnesty
says Cambodia’s multibillion-dollar scam industry thrives with government blessing
The
recent border conflict with Thailand could also lead “Cambodia’s scam-invested elite
to look away from the Thai border as they evaluate new locations”, he said. “But
it is important to note that scam compounds in Cambodia are everywhere.”
So what of Asia’s digital future? While new tools built using
artificial intelligence can flag scam scripts and analyse transaction patterns for
signs of deep-faked identities, Sims cautioned that technology alone was insufficient
to combat cybercrime.
“These
tools will need to be complemented by human intelligence, as well as policy reforms
and enforcement mechanisms,” he said. “Without political will and cross-border cooperation,
AI and other technological interventions will only offer partial mitigation.”
For
now, it would seem that no one is immune. The Bybit hack
may have set a new record, but it is unlikely to be the last. Asia’s digital future
will depend on what happens next.