North Korean leader Kim Jong-un props up his hermit kingdom with funds gained through state-backed cyber attacks - 

State-backed North Korean hackers have stolen $1.5bn (£1.2bn) of cryptocurrency in the largest heist in history.

Agents from Pyongyang were able to breach the systems of Dubai-based exchange Bybit to steal the digital coin Ether, according to security analysts.

The hackers stole more cryptocurrency in one attack than all the funds stolen by North Korean cyber criminals in 2024, when the rogue state’s cyber attackers made off with around $1.3bn in digital coins, according to cryptocurrency analysts Chainalysis.

The $1.5bn total eclipses the largest known bank theft of all time, when Saddam Hussein stole $1bn from the Iraqi central bank ahead of the Iraq War in 2003.

The record haul comes as Kim Jong-un, North Korea’s supreme leader, turns to elite units of computer hackers to prop up the Communist dictatorship’s failing economy.

Chainalysis said the attack served as a “stark reminder” of the advanced tactics employed by the country’s hackers. As well as technical skills, North Korean hackers are adept at what is known as “social engineering”: manipulating people to do what they want in order to pave the way for a heist.

This can involve developing relationships with targets over email and digital chats, sometimes over a period of months.

Cyber security experts believe North Korea’s notorious Lazarus Group are the masterminds behind the latest attack. The group has terrorised Western businesses for more than a decade with a series of cyber breaches that have caused billions of dollars in losses.

Elliptic, a cryptocurrency analysis business, said the hacking group was the “most sophisticated and well-resourced launderer of cryptoassets in existence”.

The group is believed to be part of North Korea’s intelligence agency, the Reconnaissance General Bureau. It has been linked to past attacks including the hack of Sony in 2014, when the group leaked private emails from executives in an attempt to block the release of the comedy film The Interview, which lampooned North Korea’s supreme leader.

Lazarus Group has also been blamed for a near-$1bn heist from a Bangladeshi bank in 2016 and the global Wannacry cyber attack, which knocked hundreds of thousands of computers offline with damaging ransomware, including NHS systems.

While Pyongyang once relied on its elite hacking cadres to conduct espionage or steal trade secrets, increasingly they have been employed as a weapon of economic warfare to bolster the coffers of the heavily sanctioned regime.

“North Korea started using cyber attacks for espionage, stealing R&D and intellectual property,” said Rafe Pilling, of the cyber security company Secureworks. “Subsequently, they have really capitalised on it as a source of revenue.”

A Soviet-style focus on science and technology has created a “whole education pipeline” for future cyber experts, said Mr Pilling. North Korean science prodigies are identified from a young age, before being pushed to compete in international maths and programming competitions.

The country’s hackers are prolific. In 2024, they made off with approximately 61pc of the $2.2bn of cryptocurrency stolen globally, according to Chainalysis. Including last week’s attack, North Korean hackers have stolen upwards of $6bn in cryptocurrency over the last decade.

The thefts offer a substantial boost to the nation’s beleaguered economy and help support its military spending, including its ballistic missile programme. North Korea’s GDP is estimated at just $28bn and it is heavily reliant on agriculture and trade with its main ally, China.

While most members of Lazarus Group are unknown, the US has issued indictments against several North Korean military figures it believes are linked to the group.

North Korea relies on multiple different hacking techniques, ranging from uncovering so-called “zero day” hacks that can break into IT using previously unknown flaws to using fake remote-working contractors to infiltrate US companies.

Cryptocurrency analysis companies including Arkham Intelligence and Elliptic identified Lazarus Group as the likely Bybit hackers. Researchers were able to trace the digital wallets that were used by the hackers to quickly launder their funds, which are recorded on the “blockchain” technology used by the cryptocurrency industry.

Some of the funds moved through wallets believed to be associated with past North Korean hacking attacks. TRM, a cyber security company, said there were “substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts”.

The North Korean hackers were able to steal the huge crypto haul through a multi-layered and long-planned attack, according to Chainalysis. Hackers gained access to Bybit’s internal systems using so-called “phishing” email, which prompted an employee to input their login details to a seemingly legitimate website that was actually compromised.

The hackers were then able to gain access to a so-called “cold wallet” – a supposedly secure cryptocurrency storage device that holds coins offline and away from the internet. When Bybit came to transfer funds from the offline wallet to its online systems, the hackers sabotaged the transfer and stole the funds.

Within minutes the hackers had fed them through a series of other wallets and digital currency exchanges, attempting to obscure their origin by trading them for other coins or passing them through trading houses with no customer checks.

The nature of the cryptocurrency industry, which is virtually unregulated, has made it a haven for cyber attackers to launder funds. Chainalysis said it had worked with exchanges to freeze $40m in funds stolen from Bybit, but far more remained unaccounted for.

North Korea’s hackers are showing no signs of slowing down. According to Chainalysis, its attackers are getting “better and faster at massive exploits”.

North Korea’s cyber prowess allows it to be a “major player even if in the real world they are highly isolated,” Mr Pilling said.

Bybit has said it has “more than enough” assets to cover its losses and insisted the hack was an “isolated incident”.

https://www.amazon.com/Africircle-AfriPrime/dp/B0D2M3F2JT