Taiwan-based cryptocurrency exchange BitoPro has publicly attributed a recent $11 million crypto theft to the North Korean-affiliated Lazarus Group. According to internal findings, the May 8 cyberattack exploited BitoPro’s infrastructure during a scheduled hot wallet system upgrade. Investigators now say the hackers bypassed multiple layers of security using stolen session tokens and implanted malware.
The sophisticated nature of the attack mirrors previous campaigns linked to Lazarus, a well-known cybercrime group accused of orchestrating high-value digital heists across global financial systems.
Attack Carried Out During Scheduled System Maintenance
BitoPro, which serves over 800,000 users with support for fiat and crypto transactions, detected unauthorized activity during routine updates to its hot wallet system. The attackers targeted an outdated hot wallet containing assets on Ethereum, Tron, Solana, and Polygon blockchains.
Using social engineering tactics, the attackers infected the endpoint of a cloud administrator. This malware hijacked Amazon Web Services (AWS) session tokens, allowing the attackers to bypass multi-factor authentication. Once inside, the threat actors established persistence and issued remote commands through a command-and-control (C2) server.
These commands injected malicious scripts directly into BitoPro’s wallet infrastructure. When assets were transferred as part of the wallet upgrade, the attackers conducted illicit withdrawals while mimicking normal system behavior to evade detection.
By the time BitoPro identified the breach, approximately $11 million in digital assets had been stolen. The company quickly shut down the compromised hot wallet environment and rotated all cryptographic keys. Affected funds were replenished using internal reserves, and exchange operations continued without interruption.
Investigation Confirms Attribution to Lazarus
BitoPro delayed public disclosure until June 2, nearly four weeks after the breach. The company initially reassured users that the platform remained operational and that losses were fully covered. However, internal investigations continued in parallel, involving external cybersecurity experts and cooperation with relevant authorities.
On June 11, the final report concluded that the attackers used a highly coordinated operation consistent with Lazarus Group tactics. The methodology closely resembled earlier attacks against financial institutions using SWIFT network manipulation and decentralized exchange (DEX) laundering methods.
Stolen crypto was routed through Tornado Cash, ThorChain, and Wasabi Wallet—well-known platforms used to obfuscate transaction origins. These steps further align with previously documented laundering strategies employed by Lazarus in past heists.
Crucially, the investigation found no insider involvement. The attackers gained access solely through external vectors, using social engineering, malware, and compromised session tokens. This reinforces how even routine software updates, if exploited, can create catastrophic vulnerabilities.
Lazarus Group’s Continued Assault on Crypto Platforms
The Lazarus Group, operating under alleged direction from North Korea’s state apparatus, remains one of the most prolific threats to the cryptocurrency sector. Known for executing multi-million and even billion-dollar cyberattacks, Lazarus has repeatedly targeted decentralized finance (DeFi) platforms, exchanges, and custodial services.
Earlier in 2025, the group was linked to a staggering $1.5 billion theft from Bybit, marking one of the largest crypto heists in history. Their consistent focus on digital assets appears to be part of a broader strategy to fund North Korea’s sanctioned programs through illicit financial operations.
BitoPro’s experience highlights the growing need for improved operational security among crypto exchanges. Despite multi-factor authentication and robust infrastructure, social engineering and cloud session hijacking remain effective entry points for advanced persistent threats.
Moving forward, CybSec News recommends that all crypto platforms conduct regular threat modeling exercises, reduce reliance on hot wallets, and monitor for token misuse in cloud platforms. As Lazarus and similar groups evolve, proactive detection and layered defense remain the only effective countermeasures.
0 responses to “BitoPro Ties $11 Million Crypto Theft to North Korean Lazarus Group”