The plan started quietly. Somewhere in Pyongyang, a Lazarus Group operator opened a laptop and slipped into Bybit’s systems. They didn’t rush. This wasn’t smash-and-grab. It was patient work.
By February 2025, they were ready. The FBI calls them APT38. Analysts know them as the most disciplined thieves on the blockchain. North Korea knows them as a funding pipeline for weapons programs.
Their target was Bybit, a major cryptocurrency exchange moving billions in trades every week. On the surface, it was secure. Inside, there were weaknesses. Lazarus knew where to press.
They began with spear-phishing, sending messages that looked ordinary until a click opened the door. From there, they took their time. Over weeks, they captured API keys, the master controls for massive transfers.
When they struck, it was clean. Around $1.5 billion in crypto left the exchange in a single move. That included about 17,000 Bitcoin and over a million Ether. Within hours, the funds were split up, moved across chains, and washed through Tornado Cash.
Bybit froze withdrawals for two days while they tried to get a handle on the breach. The FBI and Chainalysis were already chasing the trail. Tracking Lazarus is like following a drop of ink in a river. You see it for a moment before it disappears.
This wasn’t their first time. In 2016, they used a similar playbook to steal from the Bangladesh Bank. That job made them famous in the underground. This one made them richer than ever.
Somewhere, the team is counting wallets instead of bills. Moving funds like pieces on a board they’ve mastered. And the rest of the world is left asking how $1.5 billion can vanish without a single gunshot.
In the digital age, a stolen API key can be more dangerous than a loaded weapon. And the Lazarus Group knows exactly how to pull the trigger.