North Korea just climbed to third place among governments holding Bitcoin after a $1.4 billion crypto heist. On February 21, hackers from the Lazarus Group, a cybercrime organization backed by Pyongyang, infiltrated Bybit, one of the world’s largest crypto exchanges, stealing mostly Ethereum.
Shortly after, the group converted a large portion of the stolen funds into Bitcoin, pushing North Korea’s total stash to 13,562 BTC, worth $1.14 billion.
The United States, which recently launched its Strategic Bitcoin Reserve (SBR), remains the largest government Bitcoin holder with 198,109 BTC, valued at $16.71 billion. The United Kingdom follows with 61,245 BTC worth $5.17 billion. North Korea’s new position places it ahead of Bhutan, which holds 10,635 BTC ($897.6 million), and El Salvador, which has 6,117 BTC ($516.11 million).
The sudden jump in holdings happened just days before President Donald Trump signed an executive order on March 6, officially establishing the SBR, fueling speculation about North Korea’s motives in the global crypto race.
Lazarus Group cashes out stolen funds despite global crackdown
North Korea’s Bitcoin fortune isn’t just sitting in a wallet. Blockchain tracking firms report that $300 million from the Bybit hack has already been cashed out, despite global efforts to freeze the funds.
“Every minute matters for the hackers who are trying to confuse the money trail, and they are extremely sophisticated in what they’re doing,” said Tom Robinson, co-founder of Elliptic, a firm tracking illicit crypto flows. The stolen assets are being moved through a complex laundering process, with experts warning that the money is funding North Korea’s nuclear and military programs.
The Lazarus Group has also expanded its cyber operations. Over the past few months, researchers discovered that the hackers had compromised npm, a popular package manager for JavaScript developers.
Using typosquatting techniques, Lazarus inserted malicious versions of widely used software packages, tricking developers into downloading malware-infested code. The corrupted packages, including is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator, injected BeaverTail malware upon execution.
BeaverTail extracts login credentials, scans browser files for saved passwords, and drains cryptocurrency wallets such as Solana and Exodus. “This malware is a direct threat to developers working on financial and blockchain applications,” said Kirill Boychenko, a threat intelligence analyst at Socket Security. The malware secretly transmits stolen data to Lazarus-controlled servers, a tactic the hacking group has used for years to remain undetected.
OKX sees scrutiny for laundering Lazarus funds as Bybit freezes assets
Regulators across Europe are investigating OKX, one of the largest crypto trading platforms, over allegations that it was used to launder $100 million linked to the Bybit hack. On March 6, officials from all 27 European Union member states convened under the European Securities and Markets Authority (ESMA) to discuss whether OKX’s Web3 platform falls under the Markets in Crypto-Assets (MiCA) framework.
Authorities claim Lazarus hackers used OKX’s self-custodial wallet and decentralized trading service to process stolen funds, and if found guilty, OKX could face some massive penalties.
Meanwhile, Bybit and other exchanges are actively freezing hacked funds, but not every platform is cooperating. One exchange, eXch, allegedly allowed Lazarus to cash out over $90 million before taking action. Bybit executives have accused Johann Roberts, the owner of eXch, of deliberately delaying asset freezes.
Roberts denies wrongdoing. “We didn’t initially freeze the funds because we were in a long-standing dispute with Bybit and weren’t sure the funds were from the hack,” he said in an email statement. He later confirmed that eXch is now cooperating but criticized regulatory crackdowns, arguing that they threaten privacy and anonymity in crypto.
The United States and its allies continue to blame North Korea for dozens of crypto hacks over the past decade, pointing to Pyongyang’s reliance on stolen crypto to bypass economic sanctions. Lazarus Group initially focused on hacking banks, but over the past five years, it has shifted its focus entirely to crypto exchanges, targeting centralized platforms, DeFi protocols, and blockchain developers.
Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
