Sky Mavis developed the globally popular blockchain game Axie Infinity, which peaked in 2021 with over 2.7 million daily active users and monthly revenue exceeding $334 million. On March 23, 2022.
Members of the North Korean hacker organization Lazarus Group disguised themselves as HR from a Singapore gaming company and sent a recruitment document to Sky Mavis.
The resume on the document is very impressive, not only does it have experience in well-known game development, but it is also a KOL in the crypto circle. However, more importantly, the document contained malicious code.
On March 27, the hacker staff gained control of Axie4/9 through malicious code, and after several days of mingling in the community, built up trust to deceive the community into handing over 1/9 of the control. Two days later, on the 29th, the hacker directly stole 173,600 ETH and 25.5 million USDC, totaling $625 million.
On April 5, public opinion began to ferment, but it had been more than 7 days since the theft, missing the golden rescue period, and almost all funds had been transferred, leaving no room for recovery.
The Lazarus Group took only 6 days from infiltration to theft. The operation was completed within the UN sanctions material transport cycle.
They completed 90% of the cleanup of dirty money within 45 days at a speed 10 times faster than traditional financial crimes; at the same time, the timing of the attack was chosen during the sensitive period of the South Korean presidential election, restraining security forces.
Although there are issues within Sky Mavis itself, the more important matter is that it demonstrates the capability of state-level actions to exert control in cyberspace and the industrialized operational capabilities of North Korean hackers.
1
On February 21, 2025, at 11 PM, a multi-signature Ethereum wallet belonging to the well-known exchange Bybit was hacked, resulting in the loss of 514,000 Ethereum, worth a total of $1.429 billion. After the theft, no one could pinpoint the core issue of how it was done.
- Accurately identified each signer of the multi-signature wallet;
- Silently implanted malware on each signer's device;
- Made the user interface (UI) display transaction information that was completely different from the actual signed transaction content.
- Unbeknownst to everyone, allowed all signers to approve the transaction without any awareness.
It wasn't until the blockchain security team, Slow Mist, accumulated experience and conducted an in-depth analysis of the past 30 days that they finally reconstructed the hacker's attack methods and invasion paths.
They confirmed that this was a state-level APT attack targeting cryptocurrency exchanges. The final identified suspect is the Lazarus Group.
Not only Bitcoin, but North Korean hackers are also adept at breaking historical highs.
"APT" attacks refer to cyber attacks that have not yet been discovered. They are often used to steal sensitive data over a long period, engage in espionage activities, and disrupt critical systems.
In the Bybit theft case, the hacker used social engineering techniques to deceive Bybit employees into executing code containing malicious trojans on their local devices.
After hackers completely controlled the devices through malicious code, they began widespread infections and ultimately targeted wallet servers for theft.
During the process of the theft, the code technology was not particularly innovative. What is truly frightening is the entire layout plan combined with social engineering.
The term 'social engineering' is something many people may not have heard of. It is a trust scam aimed at collecting information, committing fraud, and infiltrating systems. Its core lies in manipulating human psychology to induce action or leak confidential information.
In the domestic context, this method is generally referred to as 'network pig-butchering'.
In the theft targeting Bybit, the hacker disguised as an investor, providing trading analysis or quantitative code, deceived key targets into executing malicious programs. Once the malicious program ran on the device, it would establish a persistent backdoor and provide remote access to the attacker.
This was similar to the preliminary attacks before Axie's theft, which transcended traditional hacking methods. Even if the code is flawless, as long as humans are involved in decision-making, there will always be breakthroughs for social engineering attacks, because human nature is the weakness.
2
The earliest detection of North Korean hackers' activities on the blockchain was in 2020. At that time, the security team at Yuxian was not overly shocked to find North Korean hackers infiltrating the industry.
However, I am very impressed by their methods: they often start with social engineering, breaching ordinary employees' devices, then gradually penetrating into core personnel's computers, obtaining the 'safe key' before executing theft, and finally leaving without a trace.
However, nobody paid attention to the implications of a group of sharks entering the crypto industry. Or perhaps, there is a natural lack of vigilance regarding a country like North Korea, where the common people have difficulty accessing the internet.
Little do people know that in the world outside of cryptocurrency, North Korean hackers have long been notorious.
In 1990, North Korea officially initiated the militarization of the internet. At that time, Kim Il-sung University established a computer science department, imported 386 computers from our country, and secretly trained the first batch of internet talents.
In 2004, the Korean Intelligence Service first confirmed the existence of 'Laboratory 110' in North Korea (now the predecessor of Bureau 121) - this is a hacker unit disguised as a computer software development company.
After 5 years of preparation, Laboratory 110 launched the '7.7 DDoS attack' in 2009, paralyzing South Korean government/media websites for 34 hours, showcasing its cyber warfare capabilities for the first time.
After achieving significant results, Laboratory 110 began to expand and became 'Bureau 121 of the Reconnaissance General Bureau', directly under a general, with a staffing of about 6,000. In 2013, Bureau 121's technology began to leap forward, establishing a hacker training camp at 'Pyongyang University of Electronic Technology'.
Three years later, North Korean hackers achieved their first top-level success: breaching the SWIFT system and stealing $85 million from the Bangladesh central bank. After tasting success, North Korea made online theft the core source of foreign exchange reserves from 2017 to 2020.
A UN report states: North Korean hackers stole $3 billion from 2019 to 2023.
Among them, the crypto industry has become the biggest fat target. According to data from the U.S. Treasury Department, since 2021, half of the hacker attacks targeting the crypto sector have come from North Korean hacker organizations.
Their methods are exactly the same as those analyzed by the Yuxian team. They disguised themselves as a recruitment website to infiltrate the team, breached development tools, and then exploited cross-chain bridge vulnerabilities.
Throughout 2023, the revenue generated by North Korean hackers accounted for 7% of North Korea's GDP.
3
The rampant activities of North Korean hackers are closely linked to the system of overseas labor.
According to North Korea's foreign trade data, the total annual imports and exports amount to less than $3 billion, with 99% being trade between China and North Korea.
However, North Korea's exports to China are not much, only around $400-500 million. How is the remaining $2 billion trade deficit filled? It relies on overseas labor. North Korea sends a large number of workers to China, Russia, Africa, and other places every year, with 70% of the earnings going to the state and 30% kept for themselves.
Among these overseas personnel, IT expatriates are the main force in generating foreign exchange. In 2024, a UN report stated that these IT expatriate workers generated $600 million in revenue for North Korea each year, nearly 20% of the total foreign exchange income.
This does not even account for additional income; it is well known that North Korean hackers attack companies by secretly hiring employees. CoinDesk conducted an incomplete industry investigation after the Bybit hack and found:
Multiple companies suffered hacker attacks after hiring North Korean IT workers.
Of course, not all overseas workers are bad people, but when bad people appear in considerable numbers, credibility is lost. Thus, many countries, including the United States, have explicitly stated that hiring North Korean workers is illegal.
However, since this is organized by the state, there will naturally be ways to circumvent it.
Some friends I know from crypto companies say it's really hard to filter out, we conduct background checks, but they can always produce some documents to prove their identity, like a Texas driver's license or forged Japanese ID cards. Coupled with their decent technical skills, they ended up being hired.
Most of the reasons these North Korean IT personnel were exposed are due to remittances to sanctioned North Korean addresses such as Kim Sang Man and Sim Hyon Sop.
Can you guess where those fake documents came from?
A single robber is not scary, nor is a group of robbers. What is terrifying is a country that cultivates robbers. Southeast Asia has already been designated a no-go zone by many overseas companies, especially in the blockchain industry.
4
Bybit barely weathered this theft crisis. In the past day, the theft incident caused over $3 billion in assets to be withdrawn. It was only with the support of peers and whales that they managed to endure the liquidity crisis.
Based on Bybit's annual revenue of $2 billion and $600 million in profit, this wave of incidents has effectively wasted two years of work. Perhaps it will take even longer, as the most important factor for a trading platform is its reputation, and in the long run, profitability is expected to decline.
Exchanges are like this, so how should we retail investors respond?
The technical means of North Korean hackers are not particularly advanced, but they surprisingly win through human nature. Or rather, many times theft originates from desires and laziness.
I have been hacked twice, once when I accidentally clicked on a phishing link about airdrop information. This action led to the leak of all the private keys for my Metamask wallet recorded on my computer, and my assets were emptied. The biggest loss came from arb------ I hadn’t even had the chance to withdraw the airdrop rewards.
From now on, every time I receive airdrop rewards in my wallet, I can only watch because there’s a high probability that they do not belong to me, and the airdrop rewards will be cleared within a minute of being issued.
The second incident came from X, resulting in X being hacked. I have repeatedly appealed to Musk, but the hacked account wasn't even suspended, and I watched him roam free while enduring ridicule - he even tried to get me to provide him with a few private keys to recover my X account... Overall, it feels very powerless.
What I want to say is that for players entering the crypto world, this environment is different from your usual living conditions; there is no one to act as a caretaker, everything relies on yourself. Indeed, in the crypto world, your assets belong to you, but you must have the ability to protect your assets; you cannot call for help if you are bullied here.
Strictly speaking, we all belong to the bottom tier. It’s not the exchanges that can collect trading fees, nor is it the project parties that earn money through issuing tokens, and certainly, hackers do not rely on robbery for their technical skills.
We can only tightly hold onto private keys in such a chaotic and disorderly area, carefully protecting those assets that are most certain for the future.
Everyone here has only the lowest degree of goodwill, and everyone is thinking about making more money. Do not naively attempt to participate in such a cruel game as a retail investor; the best thing to do is to hoard Bitcoin and not let others know your address.
By the way, regarding how to protect your on-chain assets, if you are still confused, you can find me to get a copy of the (Dark Forest Self-Rescue Manual).
There are not only treasures here but also countless traps. Please learn to educate yourself before entering.