Geoff White

This BBC podcast is supported by ads outside the uk.

Liz (from Hands Tied podcast)

Liz went from being interested in true crime to living true crime. My husband said, your dad's been killed. This is Hands Tied, a true crime podcast exploring the murder of Jim Melgar. I was just completely in shock. Liz's father murdered and her mother found locked in a closet, her hands and feet bound. It didn't feel real at all. More than a decade on, she's still searching for answers. We're still fighting. Listen to Hands tied on the iHeartRadio app, Apple Podcasts, or wherever you get your podcasts.

Geoff White

Hi, I'm Geoff White, one of the hosts of the Lazarus Heist. There's a new season of World of Secrets coming soon, but before that, we thought you'd like to hear this story. Special episode. It's about how hackers pull off the biggest heist in the history of crypto. $1.5 billion disappears in minutes, and investigators say the North Korean Lazarus Group are behind it. You can listen to the whole episode right here. And if you want to hear more, search for the Lazarus heist wherever you get your BBC podcast.

Jean Lee

Friday night in Singapore, February 2025. The time? It's around 10:30, and the CEO of a big digital finance company is working late. He's got one last job ahead of the weekend, moving money from one account to another. Pretty routine stuff.

Geoff White

Routine, but still needs concentration. The money in question is in cryptocurrency and stored in a kind of digital vault. For safety, it's usually kept offline, disconnected from the Internet. To use it, the CEO needs to bring it online, unlock it, and move money into a more accessible vault, one that's open for business on the Internet. Think of it like moving money from a bank's underground vault up to the teller's desk.

Jean Lee

In this case, the CEO wants to move 30,000 Ethereum, one of the major cryptocurrencies, like Bitcoin.

Geoff White

30,000 Ethereum is a lot. The cash equivalent is more than US$100 million. Multiple people need to sign off on the transfer before the exchange can go ahead.

Jean Lee

The CEO and his team individually make their checks. 30,000 Ethereum from offline vault A into online vault B. Yep, looks good.

Geoff White

They click the buttons to make it happen. Done. Then the CEO moves on. It's Friday night, after all. Things to do, people to meet.

Jean Lee

But half an hour later, the CEO's phone rings. It's his chief financial officer, his CFO. Now, this is not a good sign. The CFO normally just sends a text.

Geoff White

It's something Very bad. The CFO tells him.

Ben Zhou

Sound check, technical check. Are we live? We are Good. Okay, great.

Geoff White

90 minutes later, the CEO is online, broadcasting live.

Ben Zhou

Hello, everyone. This is Ben from Bybit. I'm the CEO and co founder of Bybit.

Jean Lee

And he's doing what no CEO wants to do.

Ben Zhou

This is a very difficult time. Well, about two hours ago, Bybit experienced a hack.

Geoff White

Bybit is a cryptocurrency exchange, a place to trade digital currencies. You can swap your pounds or dollars for Bitcoin or Ethereum and a host of other coins and vice versa, and.

Jean Lee

A lot of people use it. Bybit says it has 70 million users trading more than $36 billion a day.

Geoff White

CEO Ben Zhou is. Is up in the middle of the night to tell clients that a chunk of that money is gone. Disappeared.

Ben Zhou

So the maximum damage that we have witnessed currently so far is the total amount of around 401,000 Ethereum.

Jean Lee

Now, that's way more than the 30,000 Ethereum he thought he was transferring. It's 401,000. The entire contents of the vault.

Geoff White

401,000 Ethereum is worth an absolute fortune, almost one and a half billion dollars.

Jean Lee

It's as if the thieves have backed up a fleet of trucks and emptied a bank vault.

Warren Mercer

It was. It was quite shocking.

Geoff White

On the other side of the world, Warren Mercer is watching it all unfold in real time. He runs a crypto security firm called Heiden and used to do security for the New York Stock Exchange. It's his business to be alert to big movements in the crypto market.

Jean Lee

Every time Ethereum moves, it leaves a permanent trail, like a receipt. And all those receipts are stored in a giant public notebook called the Blockchain. Anyone can open it. Anyone can watch.

Geoff White

That's exactly what Warren was doing from his computer in Northern Ireland. He was watching the blockchain like a live scoreboard. Even before Ben Zo started his live stream, Warren saw that a huge sum had moved out of Bybit's secure vault.

Warren Mercer

The reaction was, oh, Bybit are moving funds.

Geoff White

Bybit's always moving money around. It's their core business, after all.

Warren Mercer

So it seemingly was. Oh, that's fine, that's okay.

Jean Lee

But when Ben Zo comes out and says the crypto was stolen, Warren is dumbfounded.

Warren Mercer

When you see a number like $1.5 billion, it's. I mean, it's a GDP of some nation states in reality. So it's a. It's a significant amount of money.

Geoff White

And it's gone from Bybit's Vault. It took 2 minutes, 26 seconds. That's nearly $10 million a second. Almost certainly the fastest heist of all time.

Warren Mercer

So once we saw that, it was a case of, wow, this is a bit crazy. What happened?

Geoff White

This is what Benzo at Bybit is also trying to figure out.

Ben Zhou

So maybe I can go back to the story. What exactly happened? At least from the latest update that I have gotten.

Jean Lee

Two hours after the hack, Ben has two theories.

Ben Zhou

The hacker have managed to either somehow hack the UI of all of the signers.

Geoff White

Computer theory one, hackers have got into Bybit's computers and manipulated them. Old school hacking.

Chul Wan Jung

Or it could be.

Ben Zhou

I'm just saying all the possibilities. I'm not accusing anything. It could be that the safe server was hacked, so it was sending this, but we don't know.

Geoff White

Theory two, hackers got into the computers of the company behind Bybit's digital vault.

Jean Lee

At this point, in the early hours of the morning in Singapore, all they know for sure is that they've just been hit not by a bug or glitch, but by brazen thieves.

Ben Zhou

As far as we know, this could be the largest hack in the history of our industry.

Jean Lee

Not just the biggest hack in the history of crypto, but possibly the biggest heist of any kind in history. Bigger than any bank job or art grab the world has ever seen.

Geoff White

And that's just the beginning.

Jean Lee

From the BBC World Service, this is the Lazarus heist. Hi, I'm Jean Lee.

Geoff White

And I'm Jeff White. Our story is about more than money. It's about where it goes, what it buys, and who's fighting in the shadows.

Jean Lee

Welcome to this special episode, the biggest heist yet.

Geoff White

Earlier this year, just days before the heist, a man's phone lights up with a message.

Jean Lee

Finally. He's been waiting for this a long time.

Geoff White

Go to this address, it says, with a link to a map.

Jean Lee

The place is a bit out of town. It's February. It's snowing. He packs some food into a bag and gets into a taxi.

Geoff White

He shows the driver the address. The driver stares at it a while in silence, then turns to give the man a look.

Jean Lee

Why do you want to go there? He asks.

Geoff White

I have an appointment, the man says.

Jean Lee

The driver looks at him a bit longer, then looks back at the address and then back at the man, mulling what to do. Finally, he turns around and puts the car into gear.

Geoff White

They drive 40 minutes through the snow. When they reach the address, the driver.

Jean Lee

Doesn'T want to get too close. He stops at a parking lot and the man gets Out. The driver speeds off, leaving a cloud of exhaust fumes hanging in the cold air.

Geoff White

The man stands for a moment to take in the scene. On the other side of the car park, he sees a large black metal gate between two imposing buildings.

Jean Lee

He starts walking toward the gate. It takes about 10 minutes, trudging through the snow. Most of the vehicles he passes are military or have government plates. He finally arrives and approaches the guard hut.

Geoff White

I'm here for a visit, he tells the guard.

Jean Lee

The guard makes a phone call and then passes him some papers to fill in. And eventually, after a thorough search, he's allowed in.

Chul Wan Jung

As I was going in, I got a feeling that it wasn't really like a building. It felt more like a dungeon. It was extremely dark. The walls were made of old black bricks. Well, black stones. I started to wonder whether what I was getting pulled into was someplace really bizarre.

Geoff White

It's late afternoon, and outside the sun setting. The man is led by guards deeper into this dungeon, passing through several long corridors and thick steel doors.

Jean Lee

Finally, they stop in front of an old wooden door and he's told he's reached his destination.

Chul Wan Jung

You could say that I was a little scared. You can't help but be scared.

Jean Lee

This is a high security prison outside Kyiv, where Ukraine holds prisoners of war. The visitor has come to meet one particular high profile inmate. After weeks of negotiation with the Ukrainian.

Geoff White

Government, he knows on the other side of that wooden door is someone the whole world has been waiting to hear from. A North Korean soldier captured on the battlefield fighting Russia's war on Ukraine.

Jean Lee

Fighting a war in a foreign land. A sign of a more assault, assertive and more ambitious North Korea.

Geoff White

The man outside the thick wooden door is Chul Wan Jung. He's a veteran correspondent for one of South Korea's major newspapers, the Joseon Ilbo. On the other side of the door is the North Korean soldier.

Jean Lee

This is a very unusual meeting for sure. One that's not normally sanctioned, you know, for years it was illegal for South Koreans to contact North Korean without the permission of their government.

Geoff White

Chul Wan has received this permission. Even so, he can't help but feel a bit nervous. And when the door swings open, he finds the man on the other side pretty relaxed.

Chul Wan Jung

He was lying down, resting. There was music coming from a small tv. And you know, he wasn't all that surprised when I walked in.

Jean Lee

Cheolwon is trying to absorb every detail of this encounter. So when he greets the man, he doesn't bow as Koreans normally would. Instead, he extends his arm for a handshake. He wants to feel the prisoner's hands.

Chul Wan Jung

I couldn't believe how calloused they were. They really looked like the hands of someone who'd worked on a construction site for decades. I was thinking, could this really be the hand of a 26 year old?

Geoff White

The prisoner gives his name as Rui. His right arm is bandaged, and there's a scar on his chin. The two men begin to talk.

Chul Wan Jung

None of the guards could understand Korean, so they just let us know how much time we had and left us to it. There were no restrictions at all.

Jean Lee

It's just the two of them in the cell. Ri reaches for the remote control and turns down the music.

Geoff White

Chul Wan reaches for the food he packed earlier in the day.

Chul Wan Jung

I bought kelp ramen noodles and brought them with me. But you know how North Koreans like choco pie. I brought some choco pie with me as well.

Jean Lee

Chaol knows food is scarce in North Korea, and like many South Koreans, he's pretty sure they have a thing for choco pies as well.

Geoff White

All this food is meant to break the ice. But Ri says he's been eating well in prison, and in fact, he wants something else.

Chul Wan Jung

As soon as I walked in and started talking to him, he wanted to know if I had any cigarettes. I felt so bad about not bringing any. I still feel bad about it.

Jean Lee

I could have told him that North Koreans smoke a lot.

Geoff White

Chul Won is struggling a bit now to connect with Ri. He tells him that he's a South Korean journalist, but says Rui is confused.

Chul Wan Jung

A journalist? He was really surprised. Why would a journalist come all this way to speak to me?

Jean Lee

Cheol Hwan explains that he knows Ri has traveled a long way from home and has experienced the horrors of war. And as a fellow Korean, Cheol Hwan says he wants to understand what Ri has been through.

Geoff White

And so the ice begins to melt. Chul Wan feels confident enough to to ask Ri if he's willing to be recorded. Ri says yes.

Jean Lee

This is their conversation. And I can tell right away that even though it's hard to understand him, there's no doubt that Ri is from North Korea. His accent is very North Korean. And Ri tells Cheol Hwan how he grew up as an only child, always hungry in the North Korean capital, Pyongyang. And he says he hasn't seen his parents since he joined the military 10 years ago. And how after all that time, he's still a private, the lowest rank.

Geoff White

But the questions don't just go one way. Rhee also pumps Chul Wan for information.

Chul Wan Jung

Once he realized I knew about the outside world, he started asking a lot of questions. For example, how is the situation in Kursk now?

Jean Lee

Kursk, the Russian region where Rih was captured and where many North Koreans have fought and died over the past year. Fighting Ukraine on behalf of Russia.

Geoff White

The battle has been shrouded in mystery. For months, Vladimir Putin and Kim Jong Un denied North Korean soldiers were even there. Now Rhee's about to break that silence.

Jean Lee

But while the world was just beginning to grasp what North Korea's conventional army was doing on the battlefield thousands of.

Geoff White

Miles from home, its cyber army was also deep in enemy territory.

Jean Lee

As governments, generals, and spies scrambled to understand why North Korea had joined Russia's war, another covert operation was underway to try to figure out what else North Korea was up to.

Geoff White

Behind closed doors, investigators in the US Are trying to track Pyongyang's hackers, who they allege are behind a string of recent heists. And the hackers are moving fast. In May 2024, the Lazarus Group was accused of being behind a hit on a Japanese currency exchange, stealing crypto worth more than $300 million. Soon after, they hit an Indian exchange, taking another 235 million. That's half a billion dollars in just two months.

Jean Lee

At the time, Chris Wong was an FBI agent dedicated to tracking North Korean hackers. He spent years, years analyzing their tactics and unpicking their attacks, something that has not gone unnoticed among his colleagues.

Chris Wong

I was chatting with somebody when I was still in the FBI, and they were like, well, what are you looking at today? And explained a theft that had occurred that was perpetrated by North Korea. And he's like, oh, so you're looking at a theft that occurred last month that is worth more than all of the actual bank robberies that occur in the United States in a year. And I was like, yeah, yeah, it sounds about right.

Jean Lee

When news of the Bybit theft broke, Chris knew he needed to get on top of it. And the first big question, who done it?

Geoff White

There was naturally a lot of speculation that it was the Lazarus Group. But Chris Wong and the FBI need hard evidence. So Chris and his colleagues begin to follow the money.

Jean Lee

Remember, all Ethereum transactions are visible on the blockchain. You can see it move from account to account in real time.

Geoff White

Chris, with a decade of experience in the FBI tracking North Korean hackers, is looking for familiar patterns. Long time listeners will know about the ingenious ways the Lazarus Group has gone about laundering stolen crypto. But FBI investigators like Chris Wong know this game intimately.

Chris Wong

As I first started watching the Bybit laundering occurring, I was hoping it might be like other thefts that have occurred where assets might move out and then they're parked for a period of time. It could be, could be weeks, could be months.

Jean Lee

The Lazarus Group's tried and tested strategy was to steal crypto, sit on it for a while, and then methodically run it through a complicated money laundering system where they mix up stolen crypto with legit funds, trying to hide it before cashing out into hard currency.

Chris Wong

But that definitely wasn't the case with the Bybit funds. And so what I saw on the blockchain there was that after an initial dispersion into a number of different addresses in rapid fashion, constantly 24, 7, there's no breaks, which is pretty tough to keep up with.

Geoff White

So previously you would have had maybe in a few weeks from what you described, maybe a few months to look at the trails, to monitor where it's going to kind of get a handle on it. But with this, I mean, you're talking about every second that you are watching it, money's starting to move around.

Chris Wong

If you're breaking $1.5 billion up into $50,000 chunks of cryptocurrency, that's 30,000 transactions. You guys are going to have to correct my math, but that's like almost 90 transactions in an hour.

Jean Lee

90 transactions an hour, that's more than one a minute.

Geoff White

This is like a high speed car chase. Cops chasing robbers. Those trucks that hauled away Bybit's one and a half billion dollars, they're now splitting off, all the while siphoning off the stolen cash into thousands of smaller trucks, which in turn are scattering in every direction.

Chris Wong

So the scale of that in China, trying to apply people to be able to trace those funds in real time is challenging in the extreme. If you're tracing any assets that are moving like this, any break that you take, you're behind.

Jean Lee

And Chris Wong knows, fall behind and it's over. There's no hope of catching the criminals.

Geoff White

So they kept at it. And after five days and nights, the FBI was able to identify who they believe was the behind it.

Jean Lee

Even the most cautious criminals leave clues. The FBI followed the trail to 51 Ethereum addresses, each a digital fingerprint left behind by the thieves.

Geoff White

And those fingerprints all pointed in one direction.

Jean Lee

North Korea.

Geoff White

The FBI made it official, declaring Kim Jong Un's regime was behind the attack.

Jean Lee

The Lazarus Group strikes again.

Geoff White

No guns, no borders. How are they doing this?

Jean Lee

This is not just a one and a half billion dollar question. For Bybit, it is a multi trillion dollar question for the entire cryptocurrency world.

Geoff White

Because if hackers can steal one and a half billion from Bybit, how much can they get from everyone else? Is anyone's money safe?

Liz (from Hands Tied podcast)

Liz went from being interested in true crime to living true crime. My husband said, your dad's been killed. This is Hands Tied, a true crime podcast exploring the murder of Jim Melgar. I was just completely in shock. Liz's father murdered and her mother found locked in a closet, her hands and feet bound. I didn't feel real at all. More than a decade on, she's still searching for answers. We're still fighting. Listen to Hands tied on the iHeartRadio app, Apple Podcasts, or wherever you get your podcasts.

Geoff White

On the same day, the FBI blames the Bybit theft on North Korea, Bybit declares war on the Lazarus Group.

Jean Lee

Not willing to leave it all to law enforcement, Bybit's CEO Ben Zo calls on members of the crypto community to become bounty hunters. He makes an offer. Anyone that shares information that helps trace and freeze the stolen crypto can take a 5% cut of whatever is recovered.

Geoff White

That could be a sizable chunk of change. The challenge is announced on social media. We will not stop until Lazarus is eliminated. So wrote ending in all caps. Let the hunting season begin.

Jean Lee

That sounds like some dramatic movie trailer, but this is real life, and it reveals something deeper. Bybit is desperate, desperate to get its money back and desperate to prove to customers that it can protect their funds. But tracking and freezing this money is incredibly hard.

Geoff White

Here's how to picture the problem. The Lazarus group has stolen almost one and a half billion dollars worth of cryptocurrency. Imagine this crypto as a giant bag of red marbles. The Lazarus Group starts trading these stolen red marbles for other red marbles. Immediately, it's harder to know if any red marble is stolen or not. Then it starts trading these red marbles for marbles of other colors. Black, white, blue, green, yellow, purple, pink, orange. These marbles held by the Lazarus group are now even harder to track which colours are theirs. Now then, the real trick. They take a hammer and smash all their marbles into pulverized dust and then blow it all over the Internet.

Nick Carlson

That's a great analogy. Yeah, I was thinking exactly that. Pulverized dust, that's what you've taken from big marbles or big rocks. That's 100%.

Jean Lee

Nick Carlson has spent his career tracking North Korea, first for the U.S. army, where he learned Korean and was deployed to One of the most heavily militarized regions in the world, the Korean DMZ that separates north from south.

Geoff White

Then he spent 12 years as an intelligence analyst with the FBI, specifically tracking North Korea's efforts to avoid sanctions. Now he does the same kind of work for a cyber security company, TRM Labs.

Nick Carlson

I did not get into crypto because I like crypto. I got into crypto because North Korea was stealing crypto.

Geoff White

Extending that red marble analogy, Nick says a bounty hunter or investigator could still track each particle of pulverized dust by following the thread left by its digital signature.

Nick Carlson

There's nothing particularly challenging about following any one of these threads. I'm not saying anybody could sit down and do it, but with a little bit of training, I think most people could. But the challenge is the scale. There's just so much of this, there's so many threads to follow that it becomes unmanageable.

Jean Lee

This is not to say the hackers are home free. They have their own problem. Yes, they've turned their giant bag of red marbles into drifts of multicolored dust, but that dust is still fragments of crypto coins.

Nick Carlson

They're not out there just trading coins because they want to. They're doing this to raise real money for the regime to go buy stuff, you know, fuel oil, components for weapons program, whatever.

Geoff White

And you can't really buy that with cryptocurrency, huh?

Nick Carlson

Right, Exactly. Not yet, but so they need somebody to give them real money, something like dollars or Chinese Yuan or whatever, that they can go then to buy these real things. And so they need to go and sell this money to brokers and all the intermediate process, the laundering, that's just a smokescreen, right? To give them plausible deniability at the very end of this process, to sell these stolen assets to a broker.

Jean Lee

The broker is a key person, often overlooked in this equation. This is a person who solves a specific problem for big criminal operations.

Geoff White

A group of cyber criminals, such as the Lazarus Group, has a bunch of crypto marble dust to sell, but they want dollars, pounds, cash.

Jean Lee

A drug cartel, for example, has the opposite problem. Drug users usually pay cash. And as that money flows up the chain, those at the top can struggle with what to do with it all.

Geoff White

What's a drug lord to do?

Jean Lee

Well, in the case of Colombian drug lord Pablo Escobar, he just stuffed it in the walls of his home. $18 million was found stashed in the walls of one of his houses.

Geoff White

Another drug bust in Mexico once turned up to $200 million stuffed in the Walls of a Mexico City mansion.

Jean Lee

Enter the broker, someone who can solve the problems of both parties.

Geoff White

The solution? Swap the cash for crypto. The drug lord's dollars are no longer holed up in a wall at risk of mice or mold or pesky police. They're safely stashed in digital vaults.

Jean Lee

And the crypto thieves now have dollars that they can use to buy things in the real world.

Geoff White

The broker takes a cut and everyone's happy.

Jean Lee

Nick says cryptocurrencies have created an entirely new dynamic for the criminal class.

Nick Carlson

They've totally revolutionized the money laundering world. There is this enormous infrastructure that exists now because of the ravenous demand for the service of converting dirty cryptocurrency into real world currency, and the reverse vice versa.

Geoff White

So Nick, as an investigator, there's a sort of frustrating bit of this where you can trace it through the system, through the crypto system, but at a certain point, if they sell it to somebody for just cash, then it's just cash in a bag somewhere in a suitcase. You lose your ability at that point, right?

Steve Biegan

Yeah.

Nick Carlson

No, it is frustrating, I'll be honest.

Geoff White

The Lazarus group steals the crypto brokers, turn it into cash.

Jean Lee

But where it goes next matters most. Because this isn't just about getting rich. It's about the power and ambition of one man.

Steve Biegan

We are in a pretty sizable motorcade with limos and police cars and escorts and everything.

Geoff White

Pyongyang, October 2018. Steve Biegan is President Donald Trump's special representative for North Korea.

Steve Biegan

We were making a run racket. We are a big motorcade. This is not everyday stuff.

Jean Lee

Steve and a diplomatic entourage are rolling from Pyongyang Sunan airport to an exclusive guest house.

Geoff White

Steve's traveled in motorcades around the world. But when he looks out of the window in North Korea's capital, there's something odd.

Steve Biegan

We would see people walking down the sidewalks, but none of them looked over.

Jean Lee

Even though they're the only cars on the road, they didn't even look.

Steve Biegan

A guy on a sidewalk 20ft away from all this hoopola, and it doesn't even look up.

Jean Lee

So what do you make of that? How did you understand the North Korean people? Based on observations like that, you can.

Steve Biegan

Only conclude one thing. There's nothing good that comes from being curious in that system. You look over and someone might see you looking over there. Just keep your head down, move along, nothing to be seen. That's how you survive in that system.

Geoff White

They pull up at the guest house, the doors open and Steve walks up the steps and into a grand hall.

Jean Lee

There, facing him is the leader of North Korea, Kim Jong un.

Steve Biegan

And I went up and shook his hand and interpreter was there with me and he welcomed me to North Korea and asked me if it was my first time.

Geoff White

I said, yeah, there's a bit of chit chat, but this is not a social visit. This is ultimately about trying to avoid war.

Jean Lee

Kim Jong Un wants relief from crippling u. S Led sanctions that are strangling North Korea's economy. The United States wants an end to North Korea's nuclear program.

Geoff White

The two sides move immediately into a conference room. There's a big table in the middle.

Jean Lee

Kim Jong Un and his team sit on one side. Steve and his fellow American diplomats sit on the other. It's the beginning of a day of meetings.

Steve Biegan

Chairman Kim Jong Un, he struck me as certainly used to being in charge, that's for sure. You could sense him bristle a little bit when there was a point of, if not disagreement, maybe just differing approaches to an issue. During our discussions, you could feel the heat rise pretty quickly.

Geoff White

This is the first of three meetings Steve would have with Kim Jong Un over the course of the coming eight months and an intense period of close quarters diplomacy between the US And North Korea. In that time, Steve got to know the North Korean leader better than most outside the secretive state.

Jean Lee

What do you think Kim Jong Un wants at the end of the day? I know this is the question you always get, and it's the hardest question to answer. But after all of this, all that you've been through with this diplomacy and even through what we're seeing right now, what would you say it is that he wants?

Steve Biegan

In one sense, what he wants is everything. He wants all of the above. He wants to sustain his dynastic regime. He wants to maintain complete control over the country and its population, and he wants to retain his nuclear weapons. He wants it all. He wants to keep the weapons, he wants to get rid of the sanctions. But I say that in one sense that's what he wants, because in another sense, Gene, I think this was the central challenge we had. Diplomacy is he doesn't know really what he wants because if he really knew what he wanted, he'd have to make some choices.

Jean Lee

This strikes me as a really important insight.

Steve Biegan

The reason why I say I'm not sure Kim Jong Un knows exactly what he wants is because I think he kind of intuitively understands that a choice to open up to tourism, trade, to investment, to student exchanges, et cetera, et cetera, in essence is a destruction of the system. If you had all this, it was irreconcilable with a brutal totalitarian dictatorship.

Geoff White

Kim Jong Un may not know what he wants, but he knows what he cash.

Jean Lee

That's why the record breaking Bybit theft matters so, so much. It helps Kim avoid making tough choices between opening up his country to allow its economy to flourish and his desire to acquire nuclear weapons.

Steve Biegan

This one recent theft of $1.5 billion, that's 5% of their GDP.

Jean Lee

Five percent of North Korea's estimated entire annual economic output made in minutes in a single heist. If the Lazarus Group can keep hitting the jackpot, Kim can have it all.

Steve Biegan

In one fell swoop. A $1.5 billion cyber heist wipes out a year's worth of effort to put pressure on the North Korean economy.

Geoff White

5% of GDP and setting the effects of international sanctions back a year.

Jean Lee

Incredible estimates for sure, but the scale is incredible. The Lazarus Group is now a major player in North Korea's economy.

Geoff White

But how exactly did North Korea manage to steal so much from Bybit?

Jean Lee

Let's go back to that Friday night in Singapore.

Geoff White

Bybit's CEO and his team think they're moving 30,000 Ethereum from their offline vault to their online one. Instead, the Lazarus group walk away with 401,000 Ethereum.

Warren Mercer

Yeah, this is where it gets really interesting.

Jean Lee

Warren Mercer again, the veteran Lazarus Group hunter and owner of Hidan Security.

Geoff White

Warren dissects every big heist, reading the blockchain and the malicious code to learn.

Jean Lee

What he can remember. In the hours after the heist, Bybit had two theories about what went wrong.

Geoff White

Theory one, someone hacked Bybit's computers.

Jean Lee

Theory two, someone hacked the computers of those who made the digital vault that holds the money.

Warren Mercer

At the time, there was no postmortem, so no one knew exactly what had happened. The reality was Bybit had been compromised. $1.5 billion was stolen from. $1.5 billion was now transacting through the blockchain.

Geoff White

Warren's gut told him the problem was indeed at Bybit.

Warren Mercer

When it happened, the immediate reaction was something was happening at Bybit that then turned out to not be the case.

Jean Lee

That's why good investigators don't just go with their gut. They follow the facts. And they've traced the origins of the hack back a few weeks. Just before the late night, he.

Geoff White

On February, four North Korean hackers begin an attack on another company called Safewallet. They're a big deal in digital wallets, electronic vaults for electronic valuables.

Jean Lee

But Safewallet is not the main Target. It's just a stepping stone. And the hackers have an eye on a single software developer, one of very few who has deep access to the company's systems.

Geoff White

The hackers have registered a website, a share price platform handy. Given SafeWallet's line of work, it appears legitimate. So they entice the Safe Wallet developer to click on it and download what looks like a share trading app onto their work computer. Big mistake.

Jean Lee

Hidden inside is the hacker's virus. Malicious code rushes into the developer's computer.

Geoff White

The hackers are in, and they can see everything the developer is doing on that machine.

Warren Mercer

So the hacker was then able to gain an AWS user session token.

Geoff White

What on earth is that?

Warren Mercer

Think of that as a key card to SAFE server room. So think of that as a privileged access to all of safe's equipment. You now have the keys to the kingdom.

Jean Lee

And that kingdom includes the computer code that controls Bybit's offline vault, which, as we now know, contains the crypto equivalent of nearly one and a half billion dollars.

Warren Mercer

What the attacker then did next was deploy a malicious JavaScript file. So think of this as a web page that you see, but with some hidden instructions in it.

Geoff White

This is the technical bit. When they want to open Bybit's offline vault to make a transfer, the CEO and his team each must confirm the details of the transaction on their screens.

Jean Lee

The amount? 30,000 Ethereum. The destination? One of Bybit's online vaults.

Geoff White

The system's designed to be as secure as possible. Multiple staff have to agree to the transfer. It's like making a withdrawal from a joint bank account. Each one of them sees the same thing on their screen. So they all agree to the transaction. They all. All click ok and the money moves.

Jean Lee

But what if what they see on the screen isn't real? That's the trick the hackers have pulled off.

Warren Mercer

So everything that's displayed on screen looks correct, everything you see is real and looks good, but the underlying transaction is completely not.

Geoff White

So when Bybit's employees call up the software, they're entering in the details, saying, I want to move this amount of money from here to here in the background. That hackers can just change that.

Steve Biegan

Yep.

Warren Mercer

Fundamentally, that. That is exactly it. That is the simplest way to look at it.

Geoff White

Like a magic trick behind the scenes.

Warren Mercer

Literally. Yeah. It's the. The art of deception.

Jean Lee

The Lazarus Group didn't just break into the vault. They were rewriting reality. What Bybit's executives saw on their screen was a lie.

Geoff White

It is fiendishly clever. The Lazarus Group had hacked the very vault holding Bybit's money and tricked by its executives into transferring that money and directly into a North Korean wallet. It's a near perfect digital crime.

Jean Lee

Safewallet says the Bybit heist highlights the increasing sophistication of hackers and that the company is committed to establishing a new standard for security.

Geoff White

Almost six months on from the theft, only 5% has been frozen. Most of the money, Bybit admits, has gone dark. In other words, it's truly gone untraceable. Now we should say for all the allegations of billion dollar thefts, the North Korean government has never admitted to being responsible for any illegal hacking and has strenuously denied allegations that it runs a state sponsored hacking program. The whole claim is a farce, North Korea's ambassador to London once told us.

Jean Lee

But this is more than a heist. It's also a sign that North Korea's abilities are catching up with its ambitions.

Geoff White

Back in 2016, the Lazarus group had similarly lofty ambitions. Their target was to steal a billion dollars from the bank of Bangladesh. In the end, they managed less than 10% of that.

Jean Lee

And nearly a decade later, they've not only hit their billion dollar target for the first time, they've blown it away.

Geoff White

So the Bybit heist signals just how much the Lazarus Group has learned over the last decade and what it's capable of.

Jean Lee

And that's what makes the next part of the story so unsettling. Because if its cyber army can evolve like this, what about its conventional Army? In early 2025, while North Korea's cyber warriors are winning, its troops fighting in the Kursk region of Russia are not.

Geoff White

Rhee, the North Korean pow, is lying on his bunk in a Ukrainian prison with a blanket over him, telling South Korean journalist Chul Wan Jung his experience of North Korean cooperation with Russia.

Jean Lee

So here Rhee is explaining that as lower rankings soldiers, they had very little opportunity to interact with Russian soldiers. Everything was handled by their superiors, the ammunition, the supplies, the clothing. In fact, meeting Russian soldiers is Ri's first real interaction with foreigners of any kind. And on the brief occasions that he had to communicate with the Russians, he says he had to resort to a translation app on his phone.

Geoff White

Chulwan, already alive to every detail, is now even more interested. This is what he's come to Kyiv to hear about.

Chul Wan Jung

Most of all. I was curious about the battlefield experience because before that there were many reports about how the North Korean military is fighting in Kursk, and a lot said it is actually being used as cannon fodder.

Jean Lee

Rhee tells Cholhuan he was deployed to Russia with about two and a half thousand other men. He says they took a train, then a plane, and then finally a bus. And he was told it was a training exercise.

Geoff White

But early on the morning of January 5, 2025, RI is ordered to join the Russian battle to drive out Ukrainian troops which had taken control of Russian territory.

Chul Wan Jung

Ri was clearly shaken by the battlefield experience. Every time he spoke about it, you could feel that every scene, every sound, even every smell was deeply embedded in his mind. And you could feel that he was experiencing this pain again by recalling those memories with me.

Jean Lee

The first wave of North Korean troops charge head on into the Ukrainian line and suffer heavy losses from drones and artillery fire. Ri and two other soldiers try a different approach, go around the Ukrainians and attack from the rear.

Geoff White

Then a drone spots them too. Suddenly, artillery fire rains down, and Re says his two comrades are killed.

Jean Lee

Now Re is alone, scrambling for cover. He fires at the drone, but misses. And the next thing he knows, a bullet rips through his arm and then shatters his jaw. He remembers losing so much blood and then passing out.

Geoff White

Ri wakes hours later. It's dark. He's dizzy and weak. He tries to retrace his steps and runs into some soldiers. Thankfully for him, they're North Koreans.

Jean Lee

They bandage him up and settle into what they think is a safe spot.

Geoff White

But then there's that sound of a drone again. Ukrainian troops have found them. Rhee and the other North Koreans run, and again, Ri says a drone strike kills the men around him.

Jean Lee

Ri somehow survives, but his arms are so badly wounded he can't use them. And he has no weapons.

Geoff White

So when a Ukrainian unit closes in on him, he has no way to resist.

Jean Lee

Rhee is just one of an estimated 11,000 North Korean soldiers sent to fight in Russia, part of a comprehensive strategic partnership signed between the two countries a year ago.

Geoff White

And that partnership goes far beyond manpower. One estimate from April found that North Korea has shipped nearly 6 million shells and rockets to Russia.

Jean Lee

Just staggering. But by January of this year, Western officials tell tell the BBC that the North Korean forces are suffering horrific casualties.

Geoff White

They say around 1,000 men have died in the fighting, and a further 3,000 are thought to be wounded, missing or captured. If that's accurate, it means the North Korean contingent sent to fight for Russia has suffered casualties of almost 40%.

Jean Lee

It's a shocking and unsustainable rate.

Geoff White

Chul Wan Jung is much more relaxed on his trip home from Ukraine's high security prison than he was on the way there hours earlier.

Jean Lee

His interview with Rhee is a huge scoop. He's already thinking about how to write it up, and he's thinking about what it means for the entire Korean peninsula.

Geoff White

Some of what he's heard gives him hope.

Chul Wan Jung

It's a fact, of course, that North Korea and South Korea are diametrically opposed from a political and military standpoint. But when we meet one on one, we can communicate. And though there has been a 70 year division, we share cultural traditions.

Jean Lee

That human connection between two Koreans on opposite sides of the border is powerful. Perhaps conflict is not inevitable.

Geoff White

But not everything Chulwan heard is so reassuring. We told him that members of North Korea's security services were embedded with the troops in Russia not to fight, but to maintain ideological.

Chul Wan Jung

The North Korean secret police are constantly feeding them ideology. They say things like the drones you'll encounter here on the battlefield are not from Ukraine, they're sent by the South Korean military.

Jean Lee

Ukraine has actually been making its own drones since the earliest days of the war. South Korea, on the other hand, has been deeply cautious about sending any military aid to Ukraine.

Geoff White

But Rhee saw his comrades killed by drones, and if he and others believe South Korea was behind it, that fear.

Jean Lee

And hatred could deepen. And there's something else that worries Chol Hwan, something military planners across the region are watching.

Geoff White

In Russia and Ukraine, North Korea's army is gaining real battlefield experience. It's learning, particularly in one area.

Chul Wan Jung

There are certainly many people in South Korea who are very concerned about the experience and know how that the North Koreans are gaining with drones in Kursk.

Jean Lee

Drones are now central to modern warfare. They are the Kalashnikovs of the sky, cheap except accessible and devastating. Knowing how to use and counter them is crucial for any army.

Geoff White

North Korea's forces have been learning some deadly battlefield lessons in Russia, and that might not be all.

Jean Lee

In return for its troops and shells. The fear is that North Korea may be getting knowledge from Russia and not just battlefield tactics, but nuclear know how.

Geoff White

As we've covered on this podcast, North Korea already has missiles and it has nuclear warheads.

Jean Lee

Putting the two together, making them work as one, is Kim Jong Un's holy grail, to which Russia, a long standing nuclear power, may have the key. If North Korea is swapping its troops and missiles for Moscow's nuclear knowledge now, that is a devastatingly dangerous development. That's according to diplomat Steve Biegun.

Steve Biegan

That's the number one issue that any of us should be concerned about. And that's why Russia's assistance to North Korea, if It, in fact, is helping them refine and improve their delivery systems is actually a direct threat to the United States of America because North Korea certainly has intercontinental ballistic missiles and it certainly has nuclear weapons. But mating those two together and then delivering them to a target is a complex undertaking. And if the Russians, again, are helping them figure that out, the Russians are doing something that poses a direct threat to the United States of America.

Geoff White

Steve says there's no hard evidence that's definitely happening, but the risk is real.

Steve Biegan

There's something going on there. Could it be? Is it possible instead, they're just teaching them horticultural skills in order to grow a better, more sustainable food supply for their people? It's possible, but I don't think that's the kind of thing that would move the needle for the North Korean regime.

Jean Lee

North Korea is learning and evolving on the battlefield, in cyberspace, and possibly behind the closed doors of its nuclear research labs, labs it can keep running thanks to the loot stolen by the Lazarus Group.

Geoff White

Nevertheless, it's an evolution taking place within a regime built on fear for its citizens. Failing to help North Korea advance can have fatal consequences.

Jean Lee

In my long conversation with Steve Biegan, there was one name I wanted to raise, a name both Steve and I know. Kim Hyuk Chol.

Steve Biegan

Kim Hyuk Chul. Are you serious?

Jean Lee

Yes. I'll show you some pictures. We needed to have this conversation another time. Steve wanted to talk about Kim Hyuk Chul right away.

Steve Biegan

Yeah. So he had been the ambassador to Spain.

Jean Lee

Yes. Steve went over Kim Hyukchul's career. Veteran North Korean diplomat with roles of varying public visibility. You know, I arranged to meet him in 2011 in New York. He was my counterpart when we were negotiating the opening of the AP bureau in Pyongyang. We spent a whole week together in New York.

Geoff White

And in 2019, he became Steve's counterpart, North Korea's lead negotiator in the Talks with the U.S. that's right.

Jean Lee

Steve called him his doppelganger. They were of similar age and family. Family background.

Geoff White

Their big job was to sort a summit where their bosses, Donald Trump and Kim Jong Un, could meet and where Kim hoped he could strike some kind of a deal to lift the international sanctions on North Korea.

Jean Lee

The summit between the two leaders happened in Hanoi, in Vietnam. We covered this in season two in the episode Fire and Fury. But the deal did not.

Steve Biegan

President Trump didn't feel like the summit was a failure. He felt like the gap was still too big. That's exactly the words he used with Chairman Kim and that we need to keep working at it. We need to keep our teams together and keep working. We'll get there. The meeting didn't end in acrimony or, you know, doors slamming or people stomping out. It was warm handshakes and, you know, really great to see you. And President Trump, you know, expressed willing and interest to see Chairman Kim again soon and so on. You know, it wasn't a, at least in our thinking, the end of anything.

Jean Lee

But the North Koreans may have seen it differently. Steve says they went into a protracted period of silence, and that is an ominous sign. And then came the rumors.

Geoff White

Stories of people involved in the Hanoi summit being sent to re education camps or to do menial work.

Jean Lee

Earlier this year, Steve was in Beijing. He was speaking to a Chinese contact that he says is close, close to North Korean officials. And the source gave an update on what happened to Kim Hyuk Chol after Hanoi.

Steve Biegan

Upon the return to Pyongyang. He and two female interpreters had all been arrested, accused of various charges embarrassing the state, failing to uphold the dignity of the nation. There's some generic charges like this in that that they were executed out by Pyongyang International Airport. I think it was by firing squad, they said, and that all foreign ministry officials above the director level were required to witness the execution. It's a brutal system. It is unforgiving. Failure has to be borne by those other than the leader.

Geoff White

Pitts turn sobering. You can hear it in Steve's voice.

Jean Lee

It's true. I have to say there are other versions of the story. Some say Kim Hyo Chol is still alive, but no one has seen him in public in years. And in a regime built on fear, disappearing from view sends its own kind of message.

Geoff White

And it's not just diplomats. Even the Lazarus Group won't be safe. Warren Mercer, who was struck by the real skill of the hackers in manipulating Bybit's offline Vault to steal $1.5 billion, has a sense of the pressure they're likely under. There's a telltale clue in the hack.

Warren Mercer

Two minutes and $1.5 billion away. In that two minute period, they carried out a $90 test transaction. You have to think about it. I'm an operator sitting in deepest, darkest North Korea. I'm under a lot of pressure. We've got this big, big fish that we've just captured. I now need to make sure that we get the $1.5 billion to the infrastructure and wallet we control. So I literally took the time to carry out a $90 test transaction. So the operator crying out this attack had a little bit of fear as well in himself. He knew he couldn't mess this up.

Geoff White

Can you imagine getting one of those digits wrong? Oh, the 1.5 billion went somewhere else. Somebody else has got it.

Warren Mercer

It would have been a. It would have been a scary payday.

Geoff White

Yeah. Particularly if your boss is Kim Jong Un as well.

Warren Mercer

Yeah, yeah, this is it. I mean, this guy or female who carried out this attack, from an operator perspective, they see no benefit of this. They don't reap any benefit at all. The regime reaps the benefit.

Geoff White

No glory, no reward, just pressure and fear.

Jean Lee

Two days in February. Tell the whole story. The day before the billion dollar bybit heist, Cheol Hwanzhong published his story about Rhee, the North Korean soldier now being held as a prisoner of war in Ukraine.

Geoff White

These two events reveal a North Korean regime more capable and dangerous than ever. While its army is getting battle ready, Lazarus Group hackers are proving more adept and more technically advanced than any other cybercriminals in the world.

Jean Lee

With their help, Kim Jong Un is finding it easier to overcome efforts to control him. Through threats and international sanctions, he's becoming increasingly self sufficient.

Geoff White

The world may not be ready for what comes next.

Jean Lee

No longer isolated, his is a regime unleashed.

Geoff White

The Lazarus Heist is an original podcast from the BBC World Service. The producer of this episode is Neil Roselle. The editor is Richard Fenton Smith.

Jean Lee

Our original music was composed by Magnus Fiennes and Lee Il Woo from the South Korean band Jonbanay.

Geoff White

And as ever, we love your feedback. Keep leaving those ratings and reviews and do subscribe so you don't miss out on future episodes.

Jean Lee

You can also spread the word on social media using the hashtag Lazarus Heist.

Geoff White

We've been telling the story of the Lazarus Group, but hackers are found everywhere. So we're returning with a brand new season and a brand new story. Season three is coming soon. Follow or subscribe so you never miss an episode.

Liz (from Hands Tied podcast)

Liz went from being interested in true crime to living true crime. My husband said, your dad's been killed. This is Hands Tied, a true crime podcast exploring the murder of Jim Melgar. I was just completely in shock. Liz's father murdered and her mother found locked in a closet, her hands and feet bound. It didn't feel real at all. More than a decade on, she's still searching for answers. We're still fighting. Listen to Hands tied on the iHeartRadio app, Apple Podcasts, or wherever you get your podcast.