North Korean Hacking Group Steals 2 Trillion KRW in Ethereum — Using Signature Forgery
The global crypto community was rocked by shocking news: 2 trillion KRW (1.46 billion USD) worth of Ethereum (ETH) was stolen from Bybit, the world’s third-largest crypto exchange.
The perpetrator? Allegedly, Lazarus, the notorious North Korean hacking group operating under the Reconnaissance General Bureau.
This incident, involving a supposedly “safe” cold wallet, has sent alarm bells throughout the crypto industry. 🔥
🕵️ How Did the Hackers Steal from Cold Wallets?
Until now, cold wallets — offline wallets not connected to the internet — were considered the gold standard for securing crypto assets. However, the Bybit hack shattered this assumption.
✍️ Forged Signature Technique
Bybit revealed that the attack exploited a method called signature forgery:
- The transaction interface appeared normal.
- In reality, the internal logic of the smart contract was tampered with.
- Hackers manipulated the signature interface to make fraudulent transactions seem legitimate.
Even though Bybit employed multi-signature (multi-sig) security and used Safe (a multi-sig smart contract system), the manipulation of the URL and the internal smart contract code allowed hackers to bypass verification processes.
Participants, accustomed to routine transaction procedures, failed to properly verify the hidden code changes during the transaction signing process.
🔥 Lazarus Group: The Suspected Mastermind
Leading on-chain analysts, including ZachXBT, and blockchain research firm TRM Labs linked the attack to North Korea’s Lazarus Group based on:
- Overlapping hacker wallet addresses.
- Past transaction patterns matching Lazarus operations.
According to TRM Labs, one-third of all global crypto thefts last year were attributed to North Korean hackers.
The Korea Development Institute (KDI) also pointed out that North Korea exploits stolen cryptocurrencies for:
- Money laundering operations.
- Funding intelligence and cyber warfare activities.
🧠 Fact: North Korean hacking groups like Lazarus, Citrine Slit, and Andariel are all controlled by the Reconnaissance General Bureau.
⚡ Even Multi-Sig Cold Wallets Aren’t Safe?
Park Se-jun, CEO of cybersecurity firm Theori, emphasized:
- Multi-signature wallets can still be exploited if transaction processes are manipulated.
- Signature verification must be manually double-checked, even in systems involving multiple approvers.
Quote: “Even the approval process involving multiple people can be exploited by hackers. No cold wallet system is 100% safe.”
📎 Other Threats from North Korean Hackers
The Lazarus-affiliated groups employ a wide range of cyberattack methods beyond just hacking cold wallets:
- Phishing scams using fake cryptocurrency platforms and job application forms.
- Distribution of malware-infected cryptocurrency wallet apps and trading apps.
- Zero-day vulnerability exploits, as seen in a 2023 incident when Citrine Slit used a then-unknown flaw in Google Chrome.
Microsoft’s report also revealed that Citrine Slit used a self-developed Trojan malware named Apple Zeus, which:
- Infects the target’s device.
- Collects sensitive information needed to access and control cryptocurrency assets.
🔔 Security Tip: Always update browsers like Chrome to the latest version to stay protected against zero-day attacks.
🛡️ How to Protect Yourself from Crypto Hacks
Given the increasing sophistication of cyberattacks:
Regularly update security software and browsers.
Always verify transaction signatures carefully.
Never blindly trust familiar-looking interfaces or URLs.
Avoid downloading suspicious compressed files or clicking on unfamiliar links.
Use hardware wallets with independent display screens for signature verification.
Hey there! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely
enjoy reading through your articles. Can you recommend any other blogs/websites/forums that cover the same subjects?
Thanks!