North Korean threat actors allegedly strike again, exploiting social engineering and cloud vulnerabilities to breach Taiwanese crypto exchange BitoPro.
Targeted breach disguised as routine operations
Taiwanese cryptocurrency exchange BitoPro disclosed it was the victim of a calculated cyberattack that resulted in the theft of $11 million in digital assets. The breach occurred on May 8 during a routine upgrade of its hot wallet infrastructure.
Threat actors seized the moment and exploited the routine upgrade operation to carry out unauthorized withdrawals across multiple blockchains, including Ethereum, Solana, Polygon and Tron.
While the attack didn’t affect the exchange’s day-to-day operations, the company only disclosed the incident publicly weeks later, on June 2. It has since offered assurances that affected wallets were replenished using internal reserves and trading activity remains stable.
All signs point to infamous Lazarus Group
Following the discovery, BitoPro launched a thorough internal investigation. Aided by cybersecurity experts, the company attributed the attack to the Lazarus Group, a North Korean state-sponsored hacking operation notorious for high-profile cryptocurrency heists.
The company said the techniques used in this breach mirror those seen in Lazarus-linked operations, including SWIFT system exploits and previous exchange hacks.
Investigators found no evidence of insider involvement but confirmed that the perpetrators used social engineering tactics to compromise the system. Attackers infected a cloud operations employee’s device with malware, exploiting hijacked AWS session tokens to bypass multi-factor authentication (MFA) and seize control of BitoPro’s cloud infrastructure.
Sophisticated attack chain led to massive losses
Once inside the system, threat actors used a command-and-control (C2) server to send malicious instructions to an implant on the hot wallet host. Those commands injected scripts designed to simulate normal wallet operations, cloaking the theft in real time.
Attackers then quickly laundered the stolen assets through decentralized exchanges and crypto mixers such as Tornado Cash, Wasabi Wallet and Thor Chain, impeding recovery. BitoPro has since rotated its cryptographic keys and notified law enforcement of the breach.
Lazarus Group still a persistent threat to crypto platforms
Lazarus Group has cemented its reputation as a leading threat to the global cryptocurrency ecosystem.
Believed to cooperate under the direction of North Korea’s intelligence apparatus, the group has been linked to some of the most significant crypto heists in history, including the recent $1.5 billion Bybit hack.
Tips to thwart crypto scams
The rise of sophisticated crypto-related cyberattacks created the need for users and organizations to combine advanced security solutions with smart online behavior. Specialized software, like Bitdefender Ultimate Security and Scamio, offers powerful protection against evolving crypto threats.
Bitdefender Ultimate Security includes comprehensive threat prevention, multi-layered ransomware protection and anti-phishing mechanisms that can block fraudulent websites and malicious scripts. Meanwhile, AI-powered scam detection tool Scamio lets users quickly analyze suspicious texts, links, emails, and described scenarios by simply messaging the tool on WhatsApp, Facebook Messenger, or via the web.
When paired with good cyber hygiene, your odds of dodging crypto scams increase significantly. Key practices include:
- Verify wallet upgrade requests and links before clicking
- Avoid unsolicited messages promising crypto giveaways or investment returns
- Use cold wallets for long-term storage instead of leaving funds in hot wallets
- Maintain strong MFA settings and avoid reusing cloud session tokens
- Regularly scan systems for malware, especially on devices used to manage, access or check on crypto assets
