North Korea Steals 1.5 Billion

AI Spotlight
GenAI Trickling Down to Low-Level Scams

OpenAI dropped a new report detailing how threat actors are using ChatGPT. If you’ve been reading my newsletter for any length of time, you know these reports are my favorite because they provide ground truth on how attackers are using AI in their attacks, something that the media likes to inflate.

The reports are a bit of a humble brag, but they’re well deserved because they share insights AND prevent attackers from abusing AI for nefarious purposes.

I’ve written about OpenAI and Google Gemini’s reports, which cover many of the same malicious use cases. I’m digging into new use cases I haven’t seen before for this writeup.

Chinese Surveillance Tool: Chinese-based threat actor used ChatGPT to generate code and sales pitches for a social media listening tool. The tool supposedly could ingest and analyze posts and comments from social media platforms related to protests in the West on human rights in China.

Hilariously, the same account was used to generate an end of year performance review. The person’s highlight was generating phishing emails for unspecified clients.

Deceptive Employment Scheme: North-Korean-based threat actors used ChatGPT to create resumes, online job profiles, and cover letters tailored to the job they were applying for. Of course, every good resume has references. So they created fake references as well.

When they reached the interview stage, they used ChatGPT to answer questions during the interview. The interviewers must not have noticed because OpenAI found the threat actors, then used ChatGPT to perform job-related tasks like “writing code, troubleshooting, and messaging with coworkers.”

My favorite use case involved using ChatGPT to devise cover stories explaining why they avoided video calls and accessed systems from unauthorized countries at odd times.

Scams: Cambodia-based threat actors leaned into generating content supporting task, romance, and investment scams. This involved creating short comments for social media and direct conversations. This covered multiple languages including Japanese, Chinese, and English. They tended to target men over 40 in the medical profession…so they have a doctor fetish.

In the last six months of reading these reports, I have seen GenAI usage trickle down to lower-level cyber criminals. The usage still targets low-hanging fruit, with content and code generation/debugging being the top use cases. While it isn’t sophisticated, it makes the attacker’s job easier.

Security Deep Dive
North Korea’s 1.5 Billion Crypto Heist

North Korea’s Lazarus group is at it again with their crypto heists, but they dwarfed their previous record this time. On February 21, 2025, they stole 1.46 billion from the Dubai-based crypto exchange Bybit, one of the largest exchanges in the world.

Now, one does not simply walk into Mordor a crypto exchange and casually walk home with 1.5 billion, even if it’s a digital currency. It takes a bit of doing.

While investigations are ongoing, preliminary reports from two separate firms Bybit engaged provide enough information to reconstruct a broad picture of what happened. So, let’s explore.

The attack targeted Bybit, but it didn’t begin with Bybit. The attackers first targeted Safe{Wallet}, a smart contract wallet company. A what what? Let me explain. 

A smart contract wallet offers enhanced security and interoperability because you can code conditions and logic in front of the wallet. A popular feature of smart contract wallets is a multisig wallet, which requires multiple parties to sign off on any transaction from the wallet.

It’s a modern twist on the two-key system, in which two different people have two different keys that protect something. If it protects against unauthorized nuclear missile launches that would start WWIII, it should be good enough to protect unauthorized crypto transactions, right?

Wrong.

Well, wrong when one of the Safe developers’ workstations gets compromised. And that’s exactly what happened here. Per a post from Safe on X, North Korea compromised one of its developer's systems. A later post with details of their investigation showed that North Korea likely socially engineered the developer to download a malicious Docker project and hijack AWS session tokens to bypass MFA.

That developer had access to push code that processes Smart{Wallet} transactions into production. Bybit used Safe{Wallet} to store very large quantities of crypto.

Can you see where we’re going with this?

North Korea used the developer’s access to insert malicious code into Safe{Wallet} front end. While everything looked the same to the user, the malicious code sat silently in the background waiting to execute when the right conditions were met.

Remember the multisig wallet? Bybit required three people to sign a transaction from Bybit’s wallet. Any one of those three people can go to Safe{Wallet} to execute a transaction.

The malicious code waited for this to happen. When Bybit went to make a legitimate transaction, the malicious code went into action and triggered a separate smart contract that did the following:

1. Backup the Original Data: A clone of the original legitimate transaction data was stored before any changes were made.

2. Override Transaction Fields: The transaction's recipient field was switched to the attacker’s wallet and instructions were given to transfer the wallet's contents to the attacker’s wallet.

3. Executed the altered transaction: The modified transaction was signed by three Bybit employees and executed.

4. Restore the original data: The original transaction data was restored to hide evidence of tampering.

Forensic analysis of each Bybit employee’s system found remnants of the modified Safe{Wallet} code. To each Bybit employee, the transaction looked legitimate because the attacker’s code hid what was happening behind the scenes.

A few minutes after the transaction completed, North Korea hid its tracks by removing the malicious code from Safe{Wallet}.

Just because you steal 1.5 billion of crypto, doesn’t mean you have it. North Korea had to start the next phase of the attack — laundering the money.

Elliptic has a great blog post that follows the money. They said the following:

Bybit isn’t backing down without a fight. They’ve declared war on Lazarus and are enlisting bounty hunters to help. These aren’t your typical bounty hunters, though. They’re nerd bounty hunters. 

These nerds are tracking down wallet addresses where North Korea is laundering the stolen funds and submitting that information to Bybit. Bybit then works with the platform where those funds are sitting (e.g., crypto exchanges, and other services) to freeze them so North Korea can’t recover them.

A bounty of 10% of the frozen funds is split evenly, with 5% going to the entity that froze the funds and 5% to the nerd bounty hunter who tipped off the location.

You can check the latest progress on their bounty program here. When I wrote this, Bybit was tracking 90% of the stolen funds and had frozen 3%, or 42 million.

Security & AI News
What Else is Happening?

🪞 If you missed my LinkedIn post on the deep fake interview this week, you have to watch it. It’s one of the few recorded attempts at a live deepfake.

🐭 Remember the Disney hack that leaked 1.2TB of Disney data online? Well, the WSJ just published a great article about the dude whose compromised account started the entire hack.

☑️ Head over to haveibeenpwnd.com and check to ensure your user accounts aren’t listed in a 1.5TB dump of infostealer logs containing 493 million unique website and email address pairs. The dude behind haveibeenpwned posted details on the new dump here.

⏩️ The UK is warning its universities to stress-test their assessments to ensure they can’t quickly be completed with AI. This comes after a survey of one thousand students, which showed that 88% have used GenAI on their assessments.

🇷🇺 Russia is warning its country’s credit and financial sector of a security breach at a major Russian IT service provider. I have to imagine this is a nation-state attack using that access to get into other companies and government systems.