How Park Jin Hee-ok became the most feared cybercriminal in codes

Why is the world’s biggest crypto hack always returning to Park Jin Heok? From Sony to Bybit, how did he complete a multi-billion dollar cyber theft?

Lazarus attacks again

At an incredible event on February 21, Bybit, a well-known Dubai-based cryptocurrency exchange, fell victim to a massive cyberattack.

The hackers have infiltrated the company Ethereum (ETH) cold wallet and acquired around $1.5 billion in digital assets. The incident is now considered the biggest robbery in the history of code.

This violation was first identified by on-chain analyst ZACHXBT, who noticed an abnormal withdrawal from Bibit’s account.

Bybit CEO Ben Zhou later confirmed that the attacker manipulated the transaction and confirmed that the wallet signer had deceived him to approve the transfer to an unauthorized address.

A sophisticated method has masked transactions to make them look legal, thereby introducing multi-signature security protocols.

In the aftermath, blockchain investigators tied the attacks to North Korea’s infamous Lazarus group to coordinate key cyber robberies, including the $600 million Ronin network violation in 2022 and the $234 million Wazirux hack in 2024.

New reports suggest that Park Jin Hee-ok, a member of the Lazarus group, could be the mastermind behind the Bibithack.

Hiok is not a new name in the world of cybercrime. In 2018, the FBI issued a wanted notice to him, accusing him of being part of a North Korean state-sponsored hacking organization that is responsible for some of the most harmful computer intrusions in history.

Let’s dig deeper into Park Jin Heeok’s background, the management of the Lazarus Group, allegations they faced in the past, and the history of code-related hacking over the years.

Hackers raised by the state

The Lazarus Group, which is said to have been supported by the North Korean government, has coordinated some of the most devastating cyberattacks in history, targeting financial institutions and critical infrastructure around the world.

However, behind the group’s faceless manipulation, one name has appeared many times. I’m Park Jin Hyok, a North Korean programmer who has been accused of leading some of the most popular cyber robbers of the past decade.

The group’s early attacks focused on espionage and gathered information from military and business groups. But over time, the group pivoted to financial crimes, sipping billions of dollars from banks, crypto exchanges and other digital financial platforms.

This significant change in evolution came with the emergence of Bluenoroff, a Lazarus parcel specialising in financial cyberattacks, first identified by cybersecurity company Kaspersky Lab.

Researchers have linked several well-known hacks to Bluenoroff, revealing a direct IP connection to North Korea. At the same time, they warned that some patterns could be intentionally misdirected. In other words, it is a fake flag designed to assemble Pyongyang.

However, Hyuk is not a manufactured identity. Despite North Korea’s claim that he does not exist, he is very realistic and has a well-documented history linked to Lazarus and the country’s cyberwarfare equipment.

A graduate of Kim Cheng University of Technology in Pyongyang, Hyuk began his career at Chosun Expo, a government-related IT company run in both North Korea and China.

Considered to be the forefront of state-sponsored cyber operations, the company served as a recruitment site for elite programmers tasked with carrying out cyberattacks under the command of North Korea’s Military Intelligence Force Lab 110.

Hyok’s name entered the international spotlight following the infamous Sony Pictures Hack in 2014.

The attack, which was retaliated against the satire film “Interview,” crippled Sony’s internal network, leaked a huge amount of sensitive data, causing an estimated $35 million in damages.

However, it was the 2017 Wanna Cree Ransomware outbreak that solidified both Lazarus and Hiok’s reputation as the mastermind behind Cyber ​​Criminal.

Malware encrypted data from infected computers and requested cryptographic payments for decryption keys, causing chaos on a global scale.

The effects of the attack were devastating, but North Korea denied its involvement despite overwhelming evidence linking it to Lazarus.

Since then, the group’s tactics have evolved and have shifted more aggressively towards theft of code. This is a strategy consistent with North Korea’s increasing dependence on illegal financial services to avoid international sanctions.

Create a cybercrime legend

The group’s foray into crypto crime attracted widespread attention in 2017. The same year was first identified as a key figure in Lazarus.

That year, a series of cyberattacks on the South Korean exchange siphoned millions from trading platforms, including now-deprecated Youbit, after losing 17% of their assets in one violation.

Then, in 2018, the group stolen a $530 million theft from Japan’s exchange Coincheck, the largest crypto robber at the time.

Investigators used a combination of phishing campaigns, social engineering and sophisticated malware to link the attack to North Korean operatives who infiltrated Coincheck’s network.

Hyok’s expertise in developing malicious software and creating deceptive digital identities was thought to have played a key role in allowing attackers to access private keys that control a large number of NEM tokens.

As their tactics became more refined, Lazarus shifted to direct targeting blockchain networks.

The 2022 Ron network violation was one of the most harmful in the history of the code, with $600 million being released from Axie Infinity (AXS) Sidechain through a carefully planned social engineering attack.

Hackers exploited a weakness in Ronin’s validator system to approve illicit transactions using compromised private keys. This is all traits of attacks and park expertise that require deep technical knowledge, patience and accuracy.

US authorities later confirmed that the stolen funds had been washed through various decentralized protocols before they were poured into the North Korean financial system.

This trend continued in 2023 and 2024, with Lazarus attacking again.

In July 2024, Wajirux, one of India’s biggest exchanges, suffered a loss of $234 million in yet another case of multi-layered deception.

The attacker exploited the exchange’s API permission vulnerability and gained unauthorized access to transfer funds while bypassing internal security triggers.

The Blockchain Forensics team tracked stolen assets through the labyrinth of mixing services, and the digital crumbs returned to North Korea once again.

And now, Bybit Hack has revived the same pattern – this time on an even more epic scale.

The world is losing cyber war – and Hyuk knows it

Lazarus Group’s cyber warfare has evolved into a well-built playbook that combines deception, penetration and precision laundry.

The ability to weaponize human psychology is one of the most frightening benefits, and even the most sophisticated security measures can be bypassed. And, as recent data shows, they are just more efficient in their crafting.

According to chain analysis, the North Korean hacker stole $660 million in 20 cases in 2023.

In 2024, the number surged to $1.34 billion, which was stolen in 47 cases, showing an increase of over 102%. These figures accounted for 61% of all cryptography stolen that year, with the Lazarus Group responsible for almost all of the massive exploits over $100 million.

Now, in just two months of 2025, they’ve already surpassed their 2024 total, sucking up $1.5 billion on the Bibit Hack alone.

Group operations begin long before a violation occurs. Over the past few years, North Korean IT workers have been systematically integrated into Crypto and Web3 companies using fake identities, third-party recruiters, and remote job opportunities to gain insider access.

In 2024, the US Department of Justice charged 14 North Korean citizens who secured employment in US companies, misused their own information and stole more than $88 million by exploiting their status.

These operatives act as silent insiders and provide Lazarus with intelligence regarding exchange security protocols, wallet structures and internal transaction flows.

Once embedded, Lazarus will carry out the attacks through social engineering, phishing and technical exploits. Employees are targeted with meticulously crafted emails that impersonate trustworthy entities to extract sensitive login credentials.

Bibit hack followed a similar pattern. The attackers have deceived the exchange’s multi-signature signatories and allowed malicious transactions by disguising them as routine approvals.

When funds are stolen, they quickly move through decentralized exchange networks, tornado cash (tears), and cross-chain bridge networks.

These transactions rapidly shuffle assets across different blockchains, making it difficult for investigators to track them to their original sources.

Usually, stolen codes are converted multiple times between Bitcoin (BTC), Ethereum, and Stubcoin before they reach a wallet that is ultimately controlled by North Korean operatives.

Some of these assets have been attracting attention through seemingly legitimate crypto trading companies, further obfuscating their origins, allowing the administration to convert digital assets into hard currency.

And through that, Park Jin Hyuk stands at the heart of almost every major Lazarus mission. Whether he is the architect of these robbers or one of its most skilled operatives, his fingerprints are everywhere.

With the Bibit attacks rewriting the playbook again, the real question isn’t just how they pulled it apart, but how long the world can keep up before the next billion disappears into digital voids.