SlowMist exposes North Korea’s CEX attacks

In a February 25, 2025 report, SlowMist provided an extensive analysis of how North Korea’s Lazarus Group has intensified its attacks on centralized cryptocurrency exchanges.  

The findings expose the group’s sophisticated hacking techniques and laundering processes, marking a notable surge in cyber threats within the crypto space.  

The North Korean-backed hacking group Lazarus, classified as an advanced persistent threat (APT), has carried out multiple major crypto-related heists in recent years.  

In February 2025, the Lazarus Group executed a $1.5 billion heist on Bybit, a major crypto exchange, ranking among the biggest crypto thefts ever recorded.  

The attackers exploited a vulnerability in an Ethereum wallet during a routine transaction and discreetly diverted the funds.  

Throughout 2024, North Korea orchestrated 47 cyber heists, looting approximately $1.34 billion and contributing to two-thirds of the year’s total crypto hacks.  

Analysts suspect that North Korea uses these illicit funds to sustain its missile and nuclear initiatives while avoiding restrictions imposed by international sanctions.  

SlowMist reports that the Lazarus Group has advanced its hacking methods and strategically targets security gaps in centralized exchanges.  

The hackers rely on spear-phishing attempts, software vulnerability exploitation, and the calculated infiltration of crypto exchange networks.  

According to the report, the hackers deceive CEX employees by pretending to be a legitimate team, paying them for debugging work, and using falsified credentials to infiltrate critical systems.  

Once inside the system, they deploy advanced malware, such as the upgraded BeaRAT, to establish ongoing access and siphon off sensitive data.  

After stealing funds, the Lazarus Group employs highly intricate laundering mechanisms, using a mix of crypto tumblers, decentralized platforms, and cross-chain swaps to erase transaction trails and evade detection.  

In the first half of 2024, SlowMist documented 16 significant incidents where victims successfully retrieved full or partial amounts of stolen crypto. They recovered approximately $113 million, with $98.64 million restored.  

Since its inception in January 2018, SlowMist has focused on strengthening blockchain security to protect the entire ecosystem.

The recent attack on ByBit has necessitated the creation and launch of a bounty program specifically targeted at the Lazarus Group. The program is aimed at tracking and disrupting the illicit activities of the North Korean hacking collective.