Why do the world’s largest crypto hacks at all times lead again to Park Jin Hyok? From Sony to Bybit, how has he perfected billion-dollar cyber thefts?
Lazarus strikes once more
In a startling occasion on Feb. 21, Bybit, a outstanding cryptocurrency change primarily based in Dubai, fell sufferer to an enormous cyberattack.
Hackers managed to infiltrate the corporate’s Ethereum (ETH) chilly pockets, making off with roughly $1.5 billion in digital belongings. This incident is now thought-about the most important heist within the historical past of crypto.
The breach was first recognized by on-chain analyst ZachXBT, who observed uncommon withdrawals from Bybit’s accounts.
Bybit’s CEO, Ben Zhou, later confirmed that the attackers had manipulated a transaction, deceiving the pockets’s signers into approving a switch to an unauthorized handle.
The delicate technique concerned masking the transaction to seem official, thereby bypassing the multi-signature safety protocols in place.
Within the aftermath, blockchain investigators have linked the assault to North Korea’s infamous Lazarus Group, a collective notorious for orchestrating important cyber heists, together with the $600 million Ronin Community breach in 2022 and the $234 million WazirX hack in 2024.
Rising reviews recommend that Park Jin Hyok, a member of the Lazarus Group, could be the mastermind behind the Bybit hack.
Hyok just isn’t a brand new title on the earth of cybercrime. In 2018, the FBI issued a needed discover for him, accusing him of being a part of a North Korean state-sponsored hacking group chargeable for a number of the most damaging pc intrusions in historical past.
Let’s delve deeper into the background of Park Jin Hyok, the operations of the Lazarus Group, the allegations they’ve confronted prior to now, and their historical past of crypto-related hacks over time.
A hacker raised by the State
Allegedly backed by the North Korean authorities, the Lazarus Group has orchestrated a number of the most devastating cyberattacks in historical past, focusing on monetary establishments and significant infrastructure worldwide.
However behind the group’s faceless operations, one title has surfaced again and again — Park Jin Hyok, a North Korean programmer accused of main a number of the most high-profile cyber heists of the previous decade.
The group’s early assaults had been targeted on espionage, gathering intelligence from navy and company entities. Over time, nonetheless, the group pivoted towards monetary crime, siphoning billions from banks, crypto exchanges, and different digital monetary platforms.
A key shift on this evolution got here with the emergence of Bluenoroff, a Lazarus subdivision specializing in monetary cyberattacks, first identified by cybersecurity agency Kaspersky Lab.
Researchers linked a number of high-profile hacks to Bluenoroff, even uncovering a direct IP connection to North Korea. On the identical time, they cautioned that some patterns might be deliberate misdirection — false flags designed to border Pyongyang.
Hyok, nonetheless, just isn’t a fabricated id. Regardless of North Korea’s insistence that he doesn’t exist, he’s very actual, with a well-documented history tied to Lazarus and the nation’s cyber warfare equipment.
A graduate of Kim Chaek College of Know-how in Pyongyang, Hyok started his profession at Chosun Expo, a government-linked IT firm working in each North Korea and China.
Believed to be a entrance for state-sponsored cyber operations, this firm served as a recruitment floor for elite programmers tasked with executing cyberattacks underneath the directive of North Korea’s navy intelligence unit, Lab 110.
Hyok’s title first entered the worldwide highlight following the notorious Sony Photos hack in 2014.
The attack, carried out in retaliation for the satirical movie The Interview, crippled Sony’s inner networks, leaked huge quantities of delicate information, and precipitated an estimated $35 million in damages.
However it was the 2017 WannaCry ransomware outbreak that cemented each Lazarus and Hyok’s reputations as cybercriminal masterminds.
The malware encrypted information on contaminated computer systems and demanded crypto funds for decryption keys, wreaking havoc on a worldwide scale.
The assault’s impression was catastrophic, but North Korea denied involvement regardless of overwhelming proof linking it to Lazarus.
Since then, the group’s techniques have developed, shifting extra aggressively towards crypto theft — a technique aligned with North Korea’s rising reliance on illicit monetary operations to evade worldwide sanctions.
Making of a cybercriminal legend
The group’s foray into crypto crime gained widespread consideration in 2017 — the identical yr Park was first recognized as a key determine in Lazarus.
That yr, a collection of cyberattacks on South Korean exchanges siphoned hundreds of thousands from buying and selling platforms, together with the now-defunct Youbit, which was forced out of business after shedding 17% of its belongings in a single breach.
Then, in 2018, the group pulled off a $530 million theft from the Japanese change Coincheck, the most important crypto heist on the time.
Investigators linked the assault to North Korean operatives who used a mixture of phishing campaigns, social engineering, and complex malware to infiltrate Coincheck’s community.
Hyok’s experience in growing malicious software program and crafting misleading digital identities was believed to have performed an important function, permitting the attackers to achieve entry to personal keys controlling huge quantities of NEM tokens.
As their techniques grew to become extra refined, Lazarus shifted to focusing on blockchain networks straight.
The 2022 Ronin (RON) Community breach, some of the damaging in crypto historical past, noticed $600 million drained from Axie Infinity’s (AXS) sidechain by means of a meticulously deliberate social engineering assault.
The hackers exploited a weak point in Ronin’s validator system, utilizing compromised personal keys to authorize fraudulent transactions — an assault that required deep technical data, persistence, and precision, all hallmarks of Park’s experience.
U.S. authorities later confirmed that the stolen funds had been laundered by means of numerous decentralized protocols earlier than being funneled into North Korea’s monetary system.
The development continued in 2023 and 2024, with Lazarus hanging once more.
In July 2024, WazirX, considered one of India’s largest exchanges, suffered a $234 million loss in yet one more case of multi-layered deception.
The attackers exploited vulnerabilities within the change’s API permissions, gaining unauthorized entry to switch funds whereas bypassing inner safety triggers.
Blockchain forensic groups traced the stolen belongings by means of a labyrinth of blending providers, with digital breadcrumbs as soon as once more main again to North Korea.
And now, the Bybit hack has revived the identical sample — this time on a fair grander scale.
The world is shedding the cyber conflict — And Hyok is aware of it
Lazarus Group’s cyber warfare has developed right into a well-orchestrated playbook that blends deception, infiltration, and precision laundering.
Their potential to weaponize human psychology has been considered one of their most formidable benefits, permitting them to bypass even essentially the most refined safety measures. And as latest information reveals, they’re solely getting extra environment friendly at their craft.
According to Chainalysis, North Korea-affiliated hackers stole $660.50 million throughout 20 incidents in 2023.
In 2024, this quantity skyrocketed to $1.34 billion stolen throughout 47 incidents, marking an over 102% improve. These figures account for 61% of all crypto stolen that yr, and Lazarus Group was chargeable for practically all large-scale exploits above $100 million.
Now, in simply two months of 2025, they’ve already surpassed their 2024 whole, with the Bybit hack alone siphoning $1.5 billion.
The group’s operations start lengthy earlier than a breach happens. Over the previous few years, North Korean IT employees have systematically embedded themselves in crypto and web3 firms, utilizing faux identities, third-party recruiters, and distant job alternatives to achieve insider entry.
The U.S. Division of Justice in 2024 indicted 14 North Korean nationals who had secured employment at U.S. companies, stealing over $88 million by misappropriating proprietary info and exploiting their positions.
These operatives act as silent insiders, offering Lazarus with intelligence on change safety protocols, pockets constructions, and inner transaction flows.
As soon as embedded, Lazarus executes its assaults by means of social engineering, phishing, and technical exploits. Staff are focused with meticulously crafted emails impersonating trusted entities to extract delicate login credentials.
The Bybit hack adopted the same sample, the place attackers deceived the change’s multi-signature signers into authorizing malicious transactions by disguising them as routine approvals.
As soon as the funds are stolen, they’re shortly moved by means of a community of decentralized exchanges, privateness wallets like Twister Money (TORN), and cross-chain bridges.
These transactions quickly shuffle belongings throughout totally different blockchains, making it tough for investigators to hint them again to their unique supply.
Sometimes, stolen crypto is transformed a number of occasions between Bitcoin (BTC), Ethereum, and stablecoins earlier than ultimately reaching wallets managed by North Korean operatives.
A few of these belongings are funneled by means of seemingly official crypto buying and selling companies, additional obfuscating their origins and permitting the regime to transform digital belongings into exhausting forex — an important workaround for worldwide sanctions.
And thru all of it, Park Jin Hyok stands on the middle of practically each main Lazarus operation. Whether or not he’s the architect of those heists or simply considered one of its most expert operatives, his fingerprints are all over the place.
With the Bybit assault rewriting the playbook but once more, the actual query isn’t simply how they pulled it off — however how for much longer the world can sustain earlier than the subsequent billion vanishes into the digital void.