Lazarus Group hits Taiwan's BitoPro: $11M crypto stolen via cloud breach & employee hack. Critical warning for crypto exchanges. Details

Continue reading
Taiwanese cryptocurrency exchange BitoPro has confirmed the notorious North Korean Lazarus Group is behind a devastating $11 million crypto hack that exploited its systems during a routine update. This major cryptocurrency security breach, initially shrouded in secrecy, reveals a chillingly sophisticated attack leveraging employee malware and cloud hijacking.
The $11 Million Lazarus Group Crypto Heist: How It Happened
On May 8, 2025, while BitoPro performed a hot wallet system upgrade, attackers sprung their trap. They executed unauthorized cryptocurrency withdrawals from an older, still-active hot wallet across multiple blockchains: Ethereum, Tron, Solana, and Polygon.
But the groundwork was laid weeks before. BitoPro's investigation, completed June 11th, uncovered a targeted social engineering attack that successfully implanted malware on the device of an employee managing cloud operations. This critical breach allowed the Lazarus Group hackers to:
Using a hidden command-and-control (C2) server, the attackers delivered scripts designed to manipulate the hot wallet host. Crucially, they timed their crypto theft to coincide with legitimate operational activity during the wallet upgrade, effectively evading immediate detection by mimicking normal behavior.
Laundering the Loot & Delayed Disclosure
True to their modus operandi, the North Korean hackers swiftly moved to launder the stolen $11 million in cryptocurrency. BitoPro's forensic analysis tracked the funds through decentralized exchanges (DEXs) and notorious crypto mixers like Tornado Cash, ThorChain, and Wasabi Wallet.
Despite detecting the compromise and taking action – shutting down the hot wallet system and rotating keys – BitoPro faced criticism for its delayed breach disclosure. The exchange only publicly confirmed the major crypto hack on June 2, 2025, nearly a month after the theft occurred. The company stated operations were unaffected and user losses were covered by reserves, but the silence raised eyebrows.
Lazarus: North Korea's Crypto Bank Robbers
BitoPro explicitly attributes the attack to the Lazarus Group, stating the attack methodology bears "resemblance to patterns observed in multiple past international major incidents," including SWIFT system attacks and thefts from major crypto exchanges. This attribution underscores Lazarus's relentless focus on cryptocurrency theft to fund the North Korean regime, following their record-shattering $1.5 billion Bybit hack earlier.
BitoPro's Response and Ongoing Fallout
The exchange maintains its investigation found "no internal involvement" beyond the compromised employee. They have notified authorities and engaged external cybersecurity experts. With over 800,000 registered users and $30 million daily trading volume, this Taiwan crypto exchange hack serves as a stark warning for the entire industry about the advanced, persistent threat posed by state-sponsored hacker groups.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.