Lazarus Group Blamed for $11 Million BitoPro Cryptocurrency Heist
BitoPro, a major cryptocurrency exchange in Taiwan, has attributed a recent $11 million theft to the notorious North Korean hacking group Lazarus, following an internal investigation that identified parallels with known Lazarus operations.
The breach occurred on May 8, 2025, during a scheduled update of BitoPro’s hot wallet infrastructure. Hackers exploited the process to carry out unauthorized withdrawals across multiple blockchain platforms, including Ethereum, Tron, Solana, and Polygon.
Hackers Bypassed MFA Using Hijacked AWS Tokens
BitoPro has now disclosed that the attackers launched a social engineering campaign to compromise a staff member responsible for managing cloud operations. Malware was planted on the employee’s device, enabling attackers to hijack AWS session tokens—a move that allowed them to bypass multi-factor authentication (MFA) and infiltrate the exchange’s cloud infrastructure.
With access established, a command-and-control (C2) server issued commands to inject malicious scripts into the hot wallet system. When the wallet was upgraded and assets were transferred, attackers mimicked normal operational behavior to avoid triggering alerts.
By the time the compromise was detected and the wallet shut down, approximately $11 million in crypto assets had been siphoned off.
Funds Laundered Through Popular Crypto Mixers
Post-theft, the attackers moved the stolen funds through decentralized exchanges (DEXs) and anonymizing services including Tornado Cash, ThorChain, and Wasabi Wallet—a pattern consistent with Lazarus Group’s past laundering tactics.
Attribution to Lazarus Based on Known Attack Signatures
BitoPro officially connected the breach to Lazarus based on similarities to other international cyber incidents:
“The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges,” the company said.
Lazarus, which has been linked to a string of high-profile cyber heists, is believed to be behind some of the largest digital asset thefts in history, including the $1.5 billion Bybit hack.
Delayed Disclosure but Swift Containment
Though the incident occurred on May 8, BitoPro only acknowledged the breach on June 2, stating that user operations were unaffected and that stolen hot wallet funds were replenished from internal reserves.
The exchange completed its investigation on June 11, with assistance from external cybersecurity experts. Authorities have also been notified.
BitoPro serves over 800,000 users and handles $30 million in daily trading volume, with support for fiat deposits and a wide range of crypto assets.
