In May 2025, Lazarus Group, a state-sponsored North Korean hacker organization, orchestrated a sophisticated cyberattack against the Taiwanese cryptocurrency exchange BitoPro, stealing an estimated $11.5 million USD (approximately KRW 16 billion) worth of digital assets. The attack, carried out during a routine system maintenance window, once again underscores the persistent threat posed by nation-state actors to the global crypto ecosystem.
Exploiting a Scheduled System Update
BitoPro released an official statement confirming that the breach occurred on May 9, 2025, during scheduled infrastructure maintenance. Hackers reportedly targeted a cloud operations staff member through social engineering, gaining unauthorized access to internal systems and the platform’s hot wallet infrastructure.
Joint investigations with external cybersecurity firms revealed that the attackers withdrew multiple digital assets including BTC, ETH, and USDT by exploiting compromised cloud credentials. The transaction patterns were designed to mimic normal operations, allowing the breach to initially go undetected.
A Signature Lazarus Playbook
Lazarus has been involved in numerous high-profile cyberattacks since its infamous 2014 Sony Pictures breach. In February 2025, the group was also behind the historic $1.5 billion theft from global crypto exchange Bybit, which remains the largest known crypto heist to date.
Though the BitoPro incident involved a smaller amount, cybersecurity experts emphasized that the timing, tactics, and infrastructure targeting mirrored Lazarus’s established methods, indicating the group’s evolving precision in exploiting operational blind spots.
Crypto Exchange Security Under Scrutiny
The incident has reignited concerns over the security of hot wallet infrastructures, cloud account management, and internal access controls across crypto exchanges. Analysts warned that maintenance periods are particularly vulnerable, requiring heightened surveillance and multi-layered authentication protocols.
Many are now calling for crypto platforms to reassess their operational security frameworks, with a focus on employee access limitations, security training, and proactive anomaly detection systems.
