Feb 21 began as a typical day, recalled Mr Ben Zhou, the boss of ByBit. Before going to bed he approved a fund transfer between the firm’s accounts, a routine maneuver when you’re responsible for millions of users. Half an hour later his phone rang. ‘Ben, there’s an issue,’ his chief financial officer said, voice shaking. ‘We might have been hacked… all of the Ethereum is gone.’
Why North Korean groups punch so far above their weight
That heartrending phone call is proof of a cold, efficient truth: this is criminal tradecraft that looks like warfare. North Korean operations are not random smash-and-grab jobs. They’re long, ruthless campaigns backed by a state willing to spend time, talent and patience to bypass defences, launder proceeds and disappear into the web.
There are three brutal advantages they exploit. First, funding and patience. When a nation is the sponsor, time and investment are available. Second, an institutionalised, multi-disciplinary approach: finance experts, malware developers, social engineers and money launderers working in sequence. Third, a willingness to use creative laundering routes — mixing, chain-hopping, decentralised exchanges and NFTs — to obscure movement. Together, these produce an opponent who studies crypto plumbing like a chess player studies a board.
How the thefts actually happen
They are adaptable. They steal private keys, exploit smart-contract bugs on bridges, run supply-chain assaults on wallets and custodial platforms, and leverage social engineering to trick insiders. They study human fallibility. They blend sophisticated code with painfully simple manipulations: a message pretending to be a colleague, a phish that looks exactly like the real sign-in, a contract call that looks harmless until it isn’t.
‘We thought we were too small to be targeted,’ one client told me after an incident. ‘Turns out, we were the perfect stepping stone.’
That quote still makes my jaw tighten. Small organisations often believe size equals safety. Not true. The reality is: attackers hunt for the weakest link. And a weak link is often a tiny team juggling operations, product and compliance on a shoestring.
Money movement is the real art
Stealing crypto is half the job; the other half is making it vanish. Converting ill-gotten funds into usable currency requires ingenuity. North Korean groups use a rotating toolbox: tumblers, privacy coins, cross-chain bridges, privacy-preserving swaps, layered OTC trades and even legitimate exchanges that unknowingly help with wash trading. They fragment funds into thousands of small transactions. They route through jurisdictions with lax enforcement. They convert crypto into NFTs or tokens that are then sold off via intermediaries. The goal is always the same: break the trail until it becomes a tangled knot.
Lessons from the frontline — practical, immediate and non-negotiable
I work with Singapore SMEs every week. Small teams, big ambitions, limited budgets. I have seen panic, rage and stubborn denial. I have also seen what works. Here is a plain list of actions that actually make a difference:
- Assume you will be targeted. Not a matter of paranoia; it is a posture. When you plan like an adversary wants your keys, you get straighter security decisions.
- Split custody and embrace multi-sig. Never keep large sums in a single hot wallet. Use distributed signing across trusted parties and hardware elements.
- Isolate critical keys. Cold storage for long-term holdings. Air-gapped signing devices where possible.
- Segment networks and limit access. Don’t let a product engineer have admin rights to treasury systems.
- Practice breach drills. Know who calls the regulator, who freezes accounts, who pulls logs. Run tabletop exercises.
- Harden smart contracts. External audits are expensive but cheaper than losing everything.
- Train teams relentlessly. Phishing is still the quickest way in. Teach people to spot the lie.
- Monitor flows actively. Real-time transaction monitoring and red flags for unusual chain-hopping.
A short anecdote that will stick with me
A small payments startup in Singapore thought their KYC and monitoring systems were sufficient. They had a single hot wallet for convenience. One weekend, someone signed a transaction with a compromised internal key. Overnight, their balance vaporised. The founders called me at 2 a.m. I sat on the phone while they sobbed and apologised. It was avoidable. It was vivid proof that security is less about technology and more about choices.
Final word: treat this like a board-level problem
These threats are not abstract. They’re state-tolerated criminal enterprises that move money to bankroll weapons, privilege and power. You may be a tiny player in a vast ecosystem, but you’re also a node. Protecting your node helps protect the whole network. Act now. Audit, segregate, train, and plan. Insist on accountability. If your leadership treats crypto risk as a checkbox, that’s the moment to double down.
We can’t control who targets us. But we can control how we prepare. The difference between a heart-stopping 2 a.m. call and a contained incident is simple: preparedness. Choose to be prepared.