BitoPro Exchange Connects Lazarus Group to $11 Million Cryptocurrency Theft

The Taiwanese cryptocurrency exchange BitoPro has reported that the North Korean hacking group Lazarus is responsible for a cyberattack that resulted in the theft of $11 million in cryptocurrency on May 8, 2025.

The attribution to Lazarus stems from evidence collected during internal investigations, indicating that the methods and attack patterns align with those employed in previous, similar cyber incidents. An official statement from BitoPro noted, “The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges.” The conclusion emphasized that these attacks are attributed to the Lazarus Group.

BitoPro serves primarily Taiwanese users by providing support for fiat deposits and withdrawals in TWD, alongside a variety of cryptocurrency assets. The platform boasts over 800,000 registered users and a daily trading volume averaging around $30 million.

During the attack on May 8, hackers exploited the system during a hot wallet update, executing unauthorized withdrawals from an older wallet across various blockchains, including Ethereum, Tron, Solana, and Polygon. Following the theft, the misappropriated funds were laundered through decentralized exchanges and mixers like Tornado Cash, ThorChain, and Wasabi Wallet.

The company faced criticism for delaying the official confirmation of the incident, which was only publicly acknowledged on June 2. In the announcement, BitoPro stated that all operations remained unaffected and that the compromised hot wallets were replenished using available reserves.

The investigation unveiled no internal collusion; however, it disclosed that the attackers had conducted a social engineering scheme to implant malware on the device of an employee managing cloud operations. This breach allowed the adversaries to hijack AWS session tokens, effectively circumventing multi-factor authentication (MFA) and gaining unauthorized access to BitoPro’s cloud infrastructure.

Following this initial breach, a command-and-control (C2) server was utilized to deliver directives to the malware implant, which injected scripts into the hot wallet host as the cyberattack was being orchestrated. When the wallet underwent an upgrade and assets were subsequently transferred, the attackers seized the cryptocurrency while blending in with routine operational activities to avoid immediate detection.

Upon identifying the security breach, BitoPro halted the hot wallet operations and rotated the cryptographic keys; however, by that time, approximately $11 million in cryptocurrency had already been compromised.

Subsequently, the company notified relevant authorities and enlisted the assistance of an external cybersecurity expert to conduct a thorough investigation, which concluded by June 11.

The Lazarus group from North Korea is widely recognized for its focus on cryptocurrency and decentralized finance entities, with a history of orchestrating significant digital asset thefts, including a notable $1.5 billion theft from Bybit.