On the morning of February 21, 2025, somewhere in the labyrinthine offices of Bybit—one of the world’s largest cryptocurrency exchanges—someone noticed that something had gone terribly wrong. Four hundred thousand Ethereum tokens, worth approximately one and a half billion dollars, had simply disappeared. Not gradually, not through some slow leak in the system, but all at once, in a matter of hours. The culprit, investigators would later determine, was Lazarus Group, a North Korean hacking collective sponsored by a government that has turned cryptocurrency theft into a peculiarly modern form of state revenue. Within seventy-two hours, Bybit managed to replenish its reserves through emergency financing—a feat of crisis management that most victims of such attacks can only dream of. It was the largest cryptocurrency theft in history. It will not, almost certainly, be the last.
Welcome to the age of the digital heist, where the old rituals of bank robbery—the planning, the weapons, the getaway car, the laundering of physical cash—have been replaced by something far more efficient and far more difficult to prevent. A traditional bank robbery requires a certain theatrical commitment: you must be physically present, you must threaten or deceive human beings, you must escape with actual objects that can be traced and recovered. A cryptocurrency exchange hack requires only a laptop, a convincing phishing email, and a few keystrokes. In seconds, you can steal a fortune from the other side of the world. And the blockchain—that supposedly “secure” technology that undergirds the entire cryptocurrency ecosystem—makes every transaction irreversible, etching your theft into the permanent record.
The Numbers That Tell the Story
The year 2025 has already distinguished itself as an annus horribilis for cryptocurrency security. In the first half of the year alone, more than two billion dollars vanished from exchanges and wallets. North Korean hackers, working under state sponsorship, accounted for over two billion dollars of that total by themselves. Lazarus Group, the élite unit responsible for most of these operations, has stolen more than six billion dollars since it began targeting cryptocurrency platforms. The recovery rate for stolen cryptocurrency? Less than eight per cent. Read that again: fewer than eight cents on the dollar are ever recovered.
A Brief History of Digital Larceny
2011: The Age of Innocence
In the beginning, there was Mt. Gox—a small exchange operated by an enthusiast in Japan, handling Bitcoin transactions when Bitcoin was still a curiosity for technophiles. The early hacks were primitive affairs, exploiting basic security vulnerabilities to steal coins that were nearly worthless at the time. No one worried much about the loss of a few thousand BTC. After all, a single Bitcoin cost only a few dollars.
2014: The Mt. Gox Catastrophe
By 2014, Mt. Gox handled seventy per cent of the world’s Bitcoin trading. It was a giant, a near-monopoly—and it was as porous as a sieve. For years, hackers (including Russian cybercriminals) had been systematically siphoning off Bitcoins, exploiting every conceivable weakness: unencrypted private keys, inadequate separation of funds, weak passwords, compromised employees. In total, eight hundred and fifty thousand BTC disappeared, worth approximately four hundred and fifty million dollars. Mt. Gox declared bankruptcy. The age of innocence was over.
2016-2020: The Era of Professionalization
The hackers grew more sophisticated. They were no longer lone nerds in basements but organized criminal groups—and, increasingly, state-sponsored organizations.
Bitfinex, in 2016, lost a hundred and nineteen thousand BTC when hackers defeated a multi-signature system that was supposed to be unbreakable. Coincheck, a Japanese exchange, lost five hundred and thirty-four million dollars in 2018 through a simple phishing attack. Binance lost forty million dollars in 2019, but—in what should serve as a model for responsible business practices—the exchange had an insurance fund, and no customer lost money. KuCoin lost two hundred and eighty-one million dollars in 2020, though a portion was recovered through coöperation between the cryptocurrency community and blockchain-analytics firms.
2021-2024: Enter the Nation-States
Something fundamental changed. Hacks were no longer the work of random criminals; they had become geopolitical operations. North Korea discovered that stealing cryptocurrency was an ideal way to finance its nuclear program despite international sanctions. Lazarus Group became the most dangerous criminal organization in cryptocurrency history. Their method evolved: they no longer needed to break code. They broke people instead.
2025: The Year of Social Engineering
Which brings us to the heart of the problem. Most of the major breaches in 2025 have resulted not from flaws in code or weak technical security but from attacks on human beings.
The Bybit hack exploited a vulnerability in an external provider’s system, Safe{Wallet}. Someone, somewhere, clicked the wrong link. At CoinDCX, an attack lasted only five minutes but was executed with such precision that investigators suspect inside coöperation. The Nobitex breach wasn’t really a theft at all—it was an intelligence operation conducted by Israeli services as part of their ongoing conflict with Iran. Cryptocurrency exchanges have become battlefields in wars that most of us know nothing about.
Anatomy of an Attack: How They’ll Rob You
Imagine this scenario: You wake up one morning, reach for your phone, check your balance on Binance. Zero. Yesterday, you had fifty thousand dollars in Bitcoin and Ethereum. Today: 0.00000000.
In a panic, you check your email. There’s a message, sent at 3:47 A.M.: “Your withdrawal request has been processed.” What withdrawal request? You didn’t send anything!
You try to log in to your account. “Incorrect password.” You check your email history. Someone changed your password at 3:42. Five minutes later, all funds were withdrawn.
You call the exchange’s support line. After an hour on hold, you hear: “We’re sorry, but the transaction was authorized from your account with correct two-factor authentication. This is not our responsibility.”
How did this happen?
Scenario One: Phishing
A week ago, you received an email: “Binance: Suspicious activity detected on your account. Click here to verify.” The page looked identical to the real Binance site. You entered your login and password. Even your 2FA code. You did exactly what they told you to do.
The hackers now had everything. They simply waited for the right moment.
Scenario Two: SIM Swapping
Someone called your mobile carrier, impersonating you. “I lost my phone—please transfer my number to a new SIM card.” The operator, poorly trained or in a hurry, complied. Suddenly, you stopped receiving text messages. Someone else started receiving them instead.
That person logged in to your exchange, clicked “forgot password,” received the SMS code on “your” number—which was now theirs. Password reset. Changed all settings. Withdrawal complete.
Scenario Three: Malicious Software
You downloaded a “great app for tracking your crypto portfolio.” Or you clicked a link promising a free token airdrop. Or perhaps you installed a Chrome extension that “automates trading.”
In reality, you installed a keylogger. Everything you type—every password, every 2FA code—is sent to criminals in real time.
Why the Police Will Say: “There’s Nothing We Can Do”
You call the police. The detective looks at you with sympathy: “Cryptocurrency? From overseas? The money’s long gone. I’m sorry, but there’s nothing we can do.”
And in ninety per cent of cases, he’ll be right.
Why Recovery Is Nearly Impossible
Irreversibility of Transactions
In a bank, you can stop a transfer. You can freeze a card. The bank can reverse a transaction. On the blockchain? There’s no recall. No reversal. The transaction is final.
Pseudonymity
You can see a wallet address—something like 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. But you don’t know who controls it. Is it an individual? An exchange? A mixer service? Is it someone named Kowalski in Warsaw or Kim Jong-un?
International Jurisdiction
Criminals operate from Vietnam, route funds through an exchange in the Cayman Islands, run them through a mixer in Russia, and cash out in Hong Kong. Which court has jurisdiction? Which law applies? Who’s going to coöperate with whom?
Lack of Expertise
Your local police officer is well trained in catching car thieves. But in tracking cryptocurrency through the blockchain, identifying mixer services, coöperating with foreign exchanges? Most precincts don’t have personnel who even understand what blockchain is.
Mixers and Tumblers
Criminals use services like Tornado Cash, which “mix” the cryptocurrency of hundreds of users. Your stolen Ethereum enters the mixer along with funds from two hundred other people. It exits to two hundred different addresses. Which one is yours? Impossible to determine.
But Some Victims Have Recovered Their Money
Erin West is a prosecutor in Silicon Valley. For the past eight years, she has specialized in one thing: recovering stolen cryptocurrency.
Her message is clear: “There are too many misconceptions. That cryptocurrency goes overseas and disappears. That it can’t be traced. That’s not true. The blockchain is a public ledger—every transaction is recorded there. If we know how to read it, we can track every satoshi.”
West is part of REACT, a coalition of law-enforcement agencies equipped with the latest cryptocurrency-tracking tools: Chainalysis, Elliptic, blockchain analytics.
Her team has recovered funds for dozens of victims—many of them after other law-enforcement agencies told them their cases were hopeless.
The key to success? Speed and knowledge.
The recovered cases shared common elements:
- Victims acted immediately—within hours, not weeks
- They had good legal support specializing in cryptocurrency
- They documented everything—every screenshot, every transaction
- They coöperated with exchanges and blockchain-analytics firms instead of relying solely on the police
The New Reality
According to Immunefi, a platform for bug-detection and security services, investors lost six hundred and eighty-five million dollars in the third quarter of 2023 alone—a fifty-nine per cent increase year over year. Two hacks—of Mixin Network and Multichain—accounted for nearly half of the total stolen amount: three hundred and twenty-six million dollars. The recovery rate that quarter plummeted to 8.9 per cent.
As Mitchell Amador, Immunefi’s founder and C.E.O., noted, “State-backed entities played a critical role, as they were allegedly behind several incidents this quarter. Their particular focus on centralized finance led to a sharp increase in losses in that sector.”
The case of “Bitcoin Bonnie and Clyde”—Ilya Lichtenstein, a Russian-born tech entrepreneur, and Heather Morgan, an aspiring rapper who performed under the name Razzlekhan—illustrated how even seemingly outlandish criminals can orchestrate massive money-laundering schemes. The couple pleaded guilty to laundering four and a half billion dollars connected to the 2016 Bitfinex hack. Until Lichtenstein’s confession in court, no one publicly knew who had actually stolen the Bitcoin from Bitfinex.
The National Security Agency, working with several partner organizations, has issued warnings about North Korea’s use of social engineering and malware to target think tanks, academic institutions, and media sectors. “State-sponsored North Korean cybercriminals continue to impersonate trusted sources to gather sensitive information,” said Rob Joyce, the N.S.A.’s director of cybersecurity. “Education and awareness are the first line of defense against social-engineering attacks.”
The agency has observed continuous intelligence-gathering efforts from a specific set of North Korean cybercriminals known collectively as Kimsuky, Thallium, or Velvet Chollima. These actors strategically impersonate legitimate sources to gather intelligence on geopolitical events, foreign-policy strategies, and security developments of interest to North Korea on the Korean Peninsula.
In this new era of digital theft, the old rules no longer apply. The robbers don’t need masks or getaway cars. They need only patience, technical skill, and the knowledge that, once they press Enter, the money is theirs—and almost certainly theirs to keep.
