Why do the world’s biggest crypto hacks always lead back to Park Jin Hyok? From Sony to Bybit, how has he perfected billion-dollar cyber thefts?
Lazarus strikes again
In a startling event on Feb. 21, Bybit, a prominent cryptocurrency exchange based in Dubai, fell victim to a massive cyberattack.
Hackers managed to infiltrate the company’s Ethereum (ETH) cold wallet, making off with approximately $1.5 billion in digital assets. This incident is now considered the largest heist in the history of crypto.
The breach was first identified by on-chain analyst ZachXBT, who noticed unusual withdrawals from Bybit’s accounts.
Bybit’s CEO, Ben Zhou, later confirmed that the attackers had manipulated a transaction, deceiving the wallet’s signers into approving a transfer to an unauthorized address.
The sophisticated method involved masking the transaction to appear legitimate, thereby bypassing the multi-signature security protocols in place.
In the aftermath, blockchain investigators have linked the attack to North Korea’s notorious Lazarus Group, a collective infamous for orchestrating significant cyber heists, including the $600 million Ronin Network breach in 2022 and the $234 million WazirX hack in 2024.
Emerging reports suggest that Park Jin Hyok, a member of the Lazarus Group, might be the mastermind behind the Bybit hack.
Hyok is not a new name in the world of cybercrime. In 2018, the FBI issued a wanted notice for him, accusing him of being part of a North Korean state-sponsored hacking organization responsible for some of the most damaging computer intrusions in history.
Let’s delve deeper into the background of Park Jin Hyok, the operations of the Lazarus Group, the allegations they have faced in the past, and their history of crypto-related hacks over the years.
A hacker raised by the State
Allegedly backed by the North Korean government, the Lazarus Group has orchestrated some of the most devastating cyberattacks in history, targeting financial institutions and critical infrastructure worldwide.
But behind the group’s faceless operations, one name has surfaced time and again — Park Jin Hyok, a North Korean programmer accused of leading some of the most high-profile cyber heists of the past decade.
The group’s early attacks were focused on espionage, gathering intelligence from military and corporate entities. Over time, however, the group pivoted toward financial crime, siphoning billions from banks, crypto exchanges, and other digital financial platforms.
A key shift in this evolution came with the emergence of Bluenoroff, a Lazarus subdivision specializing in financial cyberattacks, first identified by cybersecurity firm Kaspersky Lab.
Researchers linked multiple high-profile hacks to Bluenoroff, even uncovering a direct IP connection to North Korea. At the same time, they cautioned that some patterns could be deliberate misdirection — false flags designed to frame Pyongyang.
Hyok, however, is not a fabricated identity. Despite North Korea’s insistence that he does not exist, he is very real, with a well-documented history tied to Lazarus and the country’s cyber warfare apparatus.
A graduate of Kim Chaek University of Technology in Pyongyang, Hyok began his career at Chosun Expo, a government-linked IT company operating in both North Korea and China.
Believed to be a front for state-sponsored cyber operations, this company served as a recruitment ground for elite programmers tasked with executing cyberattacks under the directive of North Korea’s military intelligence unit, Lab 110.
Hyok’s name first entered the international spotlight following the infamous Sony Pictures hack in 2014.
The attack, carried out in retaliation for the satirical film The Interview, crippled Sony’s internal networks, leaked vast amounts of sensitive data, and caused an estimated $35 million in damages.
But it was the 2017 WannaCry ransomware outbreak that cemented both Lazarus and Hyok’s reputations as cybercriminal masterminds.
The malware encrypted data on infected computers and demanded crypto payments for decryption keys, wreaking havoc on a global scale.
The attack’s impact was catastrophic, yet North Korea denied involvement despite overwhelming evidence linking it to Lazarus.
Since then, the group’s tactics have evolved, shifting more aggressively toward crypto theft — a strategy aligned with North Korea’s growing reliance on illicit financial operations to evade international sanctions.
Making of a cybercriminal legend
The group’s foray into crypto crime gained widespread attention in 2017 — the same year Park was first identified as a key figure in Lazarus.
That year, a series of cyberattacks on South Korean exchanges siphoned millions from trading platforms, including the now-defunct Youbit, which was forced into bankruptcy after losing 17% of its assets in a single breach.
Then, in 2018, the group pulled off a $530 million theft from the Japanese exchange Coincheck, the largest crypto heist at the time.
Investigators linked the attack to North Korean operatives who used a mix of phishing campaigns, social engineering, and sophisticated malware to infiltrate Coincheck’s network.
Hyok’s expertise in developing malicious software and crafting deceptive digital identities was believed to have played a crucial role, allowing the attackers to gain access to private keys controlling massive amounts of NEM tokens.
As their tactics became more refined, Lazarus shifted to targeting blockchain networks directly.
The 2022 Ronin (RON) Network breach, one of the most damaging in crypto history, saw $600 million drained from Axie Infinity’s (AXS) sidechain through a meticulously planned social engineering attack.
The hackers exploited a weakness in Ronin’s validator system, using compromised private keys to authorize fraudulent transactions — an attack that required deep technical knowledge, patience, and precision, all hallmarks of Park’s expertise.
U.S. authorities later confirmed that the stolen funds were laundered through various decentralized protocols before being funneled into North Korea’s financial system.
The trend continued in 2023 and 2024, with Lazarus striking again.
In July 2024, WazirX, one of India’s largest exchanges, suffered a $234 million loss in yet another case of multi-layered deception.
The attackers exploited vulnerabilities in the exchange’s API permissions, gaining unauthorized access to transfer funds while bypassing internal security triggers.
Blockchain forensic teams traced the stolen assets through a labyrinth of mixing services, with digital breadcrumbs once again leading back to North Korea.
And now, the Bybit hack has revived the same pattern — this time on an even grander scale.
The world is losing the cyber war — And Hyok knows it
Lazarus Group’s cyber warfare has evolved into a well-orchestrated playbook that blends deception, infiltration, and precision laundering.
Their ability to weaponize human psychology has been one of their most formidable advantages, allowing them to bypass even the most sophisticated security measures. And as recent data shows, they are only getting more efficient at their craft.
According to Chainalysis, North Korea-affiliated hackers stole $660.50 million across 20 incidents in 2023.
In 2024, this number skyrocketed to $1.34 billion stolen across 47 incidents, marking an over 102% increase. These figures account for 61% of all crypto stolen that year, and Lazarus Group was responsible for nearly all large-scale exploits above $100 million.
Now, in just two months of 2025, they have already surpassed their 2024 total, with the Bybit hack alone siphoning $1.5 billion.
The group’s operations begin long before a breach occurs. Over the past few years, North Korean IT workers have systematically embedded themselves in crypto and web3 companies, using fake identities, third-party recruiters, and remote job opportunities to gain insider access.
The U.S. Department of Justice in 2024 indicted 14 North Korean nationals who had secured employment at U.S. firms, stealing over $88 million by misappropriating proprietary information and exploiting their positions.
These operatives act as silent insiders, providing Lazarus with intelligence on exchange security protocols, wallet structures, and internal transaction flows.
Once embedded, Lazarus executes its attacks through social engineering, phishing, and technical exploits. Employees are targeted with meticulously crafted emails impersonating trusted entities to extract sensitive login credentials.
The Bybit hack followed a similar pattern, where attackers deceived the exchange’s multi-signature signers into authorizing malicious transactions by disguising them as routine approvals.
Once the funds are stolen, they are quickly moved through a network of decentralized exchanges, privacy wallets like Tornado Cash (TORN), and cross-chain bridges.
These transactions rapidly shuffle assets across different blockchains, making it difficult for investigators to trace them back to their original source.
Typically, stolen crypto is converted multiple times between Bitcoin (BTC), Ethereum, and stablecoins before eventually reaching wallets controlled by North Korean operatives.
Some of these assets are funneled through seemingly legitimate crypto trading firms, further obfuscating their origins and allowing the regime to convert digital assets into hard currency — a crucial workaround for international sanctions.
And through it all, Park Jin Hyok stands at the center of nearly every major Lazarus operation. Whether he is the architect of these heists or just one of its most skilled operatives, his fingerprints are everywhere.
With the Bybit attack rewriting the playbook yet again, the real question isn’t just how they pulled it off — but how much longer the world can keep up before the next billion vanishes into the digital void.
