The Lazarus Group, The Bybit Hack and Sanctions: The New Battleground with Andrew Fierman
Fresh out of the studio, Andrew Fierman, Head of National Security Intelligence at Chainalysis, provides an in-depth analysis of the recent $1.5 billion Bybit hack orchestrated by North Korea's Lazarus Group. Starting from his career journey from traditional banking to blockchain analytics, Andrew shares his expertise on how sanctioned entities operate in the cryptocurrency space and the sophisticated techniques employed by state-sponsored hackers. He explains how blockchain's transparency enables tracking of stolen funds, revealing that over 90% of the stolen $1.5 billion remains on the blockchain despite moving through thousands of wallets. Andrew details how sanctioned states are increasingly turning to stablecoins and decentralized finance to evade traditional banking controls, while emphasizing the importance of KYC procedures and blockchain analytics in disrupting illicit activities. Last but not least, Andrew shares his perspectives on emerging threats in cryptocurrency security, including how AI-powered deepfakes and digital identity forgery are lowering barriers to sophisticated attacks.
"The thing that's most fascinating, we talk a lot about how complex North Korea is here but when you compare it to some of the other illicit groups, particularly those that are sanctioned, say your terrorist organization that's soliciting donations on Telegram or some other social media outlet understanding what that difference in the level of complexity is, I think is really fascinating to actually know about. When we're talking about DPRK, we're talking about laundering of funds through tens of thousands. By the time we're done, it'll be hundreds of thousands of wallets. And then on the other end of it, We have a terrorist organization that was, sanctioned mid last year for facilitating on behalf of Hamas. After they got sanctioned and their addresses that they were using, got seized and disrupted. They got annoyed and they tried to bridge funds with their new Ethereum wallet after they received a few donations and they didn't even have the gas fees to facilitate it. And the transaction, βwhen we're talking about the difference in the level of complexity here, it is really fascinating to know the nuance and it's not to say that, other nation states, like Russia or Iran don't have any level of complexity. They certainly do." - Andrew Fierman, Head of National Security Intelligence at Chainalysis Inc
Profile: Andrew Fierman, Head of National Security Intelligence at Chainalysis Inc (LinkedIn)
Here is the edited transcript of our conversation:
Bernard Leong: Welcome to Analyze Asia, the premier podcast dedicated to dissecting the pulse of business technology and media in Asia. I'm Bernard Leong, and the recent Bybit hack by the Lazarus Group has shaken the entire crypto market. With me today, Andrew Fierman, head of National Security Intelligence at Chainalysis, to share with us on the fallout and the key takeaways from their recent Crypto Crime Report from Chainalysis 2025. So, Andrew, welcome to the show.
Andrew Fierman: Thanks for having me.
Bernard Leong: First, I want to start with your origin story. How did you start your career?
Andrew Fierman: I've been in financial crimes compliance for about a decade prior to joining Chainalysis. I started doing Know Your Customer at JPMorgan Chase. I got more into anti-money laundering, sanctions, and found a unique interest in sanctions and geopolitics, especially around understanding how illicit actors were facilitating sanctions evasion through financial institutions.
What I realized is most people who are on a sanctioned list aren't typically going to walk into a US bank to bring US dollars directly. So my question was always, how are they going about doing that? I have studied everything from how terrorist organizations use charities to how North Korea uses shell companies or employs evasive tactics in the shipping industry, to how Russia and Iran have done it historically.
After taking on the role as head of sanctions at Barclays, I decided to come over to Chainalysis, where I got to focus on this entire new landscape and figure out how these actors and everything that they do traditionally in finance applies to the blockchain. I've been here for a little bit over three years now.
Bernard Leong: This is interesting because you transitioned from a traditional banking institution to the dynamic world of blockchain analytics at Chainalysis. What are the key differences and learning experiences that helped you make that transition?
Andrew Fierman: It was a lot of studying new terminology and understanding how the blockchain operates. But being fully honest, after spending some time at Chainalysis doing introductory courses, I realized pretty quickly that many concepts when tracing money translate easily. Knowing how Bitcoin versus Ethereum gets laundered is certainly different than following US dollars, but the concept of shell companies now becomes hops or unknown intermediaries, and utilizing different jurisdictions is still a very typical typology. So a lot translated clearly for me early on.
Bernard Leong: How about things like crypto Twitter? There are Twitter accounts that do sleuthing and checking which wallets have made transfers. Does that increase your monitoring surface area or does it help make it different compared to traditional institutions, where there's no "financial Twitter" to know who is sending cash?
Andrew Fierman: You've touched on a unique aspect of blockchain transparency. When it comes to financial institutions, the SWIFT system and messages that belong to transactions at your financial institution only belong to your institution. They're not sitting on a block explorer or on crypto Twitter for everyone to analyze.
It's impressive following how quickly those on platforms like Twitter come to help, especially with instances like Bybit. One fascinating angle I see from Chainalysis is that our role is to map the entire ecosystem. We can visualize start points and end points in how money moves overall, which adds a layer of context that maybe crypto Twitter doesn't get. We're not as privatized as a financial institution, but we have more context when doing our investigations.
Bernard Leong: Being a crypto investor for a long time, I've been following Chainalysis. What lessons from your career journey can you share with my audience?
Andrew Fierman: Always be open to new challenges and don't just follow processes and procedures, but push your understanding to new areas. The blockchain ecosystem is here to stay. I see people from the compliance industry finally trying to catch up and wanting to get into crypto. But it's crypto, AI, emerging technology broadly speaking - diving in and being willing to learn these new things doesn't just help career opportunities, but helps you better fight against the crime you're investigating.
Bybit Hack Analysis
Bernard Leong: Let's get to the main subject: the Bybit hack, the Lazarus group, and the Cyber Crime report from Chainalysis 2025. First, let's start with the recent Bybit hack. The theft is approximately 1.5 billion USD in cryptocurrency, and most has allegedly been laundered off on the Tor chain, reportedly orchestrated by North Korea's Lazarus group. From your professional standpoint, can you walk us through the tactics and methods employed in this breach and how they align with previous patterns observed from state-sponsored actors?
Andrew Fierman: In this specific incident, the exploit occurred through an impact on a third-party vendor, SafeWallet, that was being utilized by Bybit. This made it look like a transfer from a cold storage wallet to a warm wallet was being finished, but the funds got exploited out to a wallet controlled by North Korea without the awareness of those doing the signing on the Bybit side.
This is a unique method using the third-party vendor as the access point, but North Korea and the Lazarus Group have always used varying forms of social engineering to gain access. Whether sending a phishing email to apply malware, getting in the back door through IT remote employees - the techniques evolve. This is a trend with North Korea for decades. They're a heavily sanctioned nation without much value in exports or international trade partners, so their way of making money has always come through unique ways of evading sanctions. Exploiting the crypto and Web3 ecosystem is just the newest technique.
Every time these hacks occur, the industry develops a blueprint to improve security measures. However, as they improve security, North Korea will find different ways. Part of it is a volume play - if you have tens of thousands of employees and send out emails, maybe during bonus season saying "here's your bonus information, click here," somebody will be excited to see their bonus and click the link. Then it's too late.
So while there was a unique angle in exploiting a third-party vendor providing access to Bybit, rather than directly through Bybit, the aspect of social engineering is standard but ever growing in capability and creativity.
Bernard Leong: It's interesting how they implemented a hack by putting in software that made the user think it was safe. There's also the concentration risk of putting so much money in one wallet, which isn't typical practice. They had to tie the machine back and look at the software on the laptop to discover some software that was deleted the next day. That's what makes this hack so sophisticated. The Lazarus group has been implicated in high-profile cryptocurrency thefts - can you shed light on their typical operational methods and how they've evolved?
Andrew Fierman: When discussing social engineering, they're getting more creative in their technical access points. For the on-chain aspect, North Korea from a nation-state perspective is by far the most technically advanced illicit actor.
They use a consistent fingerprint in laundering funds. We've seen this happen repeatedly where Lazarus group gets the exploit to a single wallet, then breaks down funds to a handful of wallets, usually a few dozen, and starts bridging using DeFi protocols and no-KYC instant swap services to move from Ethereum into Bitcoin. They then chop it up further through mixers to further obfuscate where funds are going.
While it's complicated, hope isn't lost. The 1.5 billion was stolen, and there's been wording about it being "laundered," but the laundering process has just begun. As of a few days ago, our numbers indicate over 90% of the funds are still on the blockchain. For the 10% no longer there, that includes seizures and disruptions (like with Mantle's 43 million seized quickly after the hack), lost funds, fees, and small portions that have been off-ramped.
We're currently tracking over 4,000 Bitcoin wallets with balances. With stronger compliance in the ecosystem than ever before and more regulation, compliance teams at exchanges are more reactive and readily available to seize funds if they come to their platform. When dealing with 1.5 billion, you can't just bring that to your corner store to launder into cash.
Bernard Leong: Yes, off-ramping is definitely difficult. From a sanctions perspective, what evolving tactics do you observe in their laundering process, and how effective are current enforcement measures in countering their strategies?
Andrew Fierman: This is by far the largest hack ever - before this, it was 611 million, now 1.5 billion. The scale and volume at which they're laundering isn't someone sitting in a room pressing buttons to move funds. This is a coordinated, meticulous effort. Concepts like AI bots and timed transactions are likely playing a persistent role.
When laundering $20 million, there's only so much you can do before losing more to fees than it's worth laundering, so that process happens more quickly with fewer wallets. But with 1.5 billion dollars, it's a waiting game for North Korea. While the bounty program was set up and while Chainalysis, other blockchain analytics firms, governments, and crypto Twitter are tracking in real time, the goal isn't just to break it up and launder it quickly. Part of it is waiting - sitting on funds for weeks, months, years, until the news cycle cools down and people focus elsewhere. Then they'll pick up the pace again.
With the development of compliance programs in the global crypto exchange ecosystem, along with awareness and capabilities of government agencies and blockchain analytics firms, plus crypto Twitter sleuths, you have people attempting to disrupt any dollar possible. Because the blockchain is a real-time, borderless, 24-hour function, so is the industry around it. That's unique - with the SWIFT system, you're talking about something open from 8am to 6pm Eastern time, five days a week. If you haven't laundered your money by 6pm and everyone's gone for the weekend, you wait until Monday. But Lazarus group knows that's not the case here.
I was in my living room at 10:30am when I found out this happened on a Friday, and Bybit is headquartered in Dubai. So that's roughly 7:30pm Friday night when people have gone home for the weekend. Getting a team operating around the clock to monitor this - that timing wasn't coincidental for North Korea.
Bernard Leong: The 24/7 element makes it challenging and exciting for people trying to understand what's happening in such a short time. Considering the decentralized nature of cryptocurrencies, what role does blockchain analytics and international cooperation play in identifying and mitigating risks posed by state-sponsored cybercriminal groups like the Lazarus group?
Andrew Fierman: Tracing through bridges and DeFi protocols can be done by anyone with investigative capabilities. The real focus is still on transferring crypto to fiat. As off-ramping becomes more challenging, the industry is doing a better job. While we don't want to watch them try to launder until they have zero dollars left from fees, there's value in making it significantly more difficult for North Korea to cash out.
The days are gone when you could sneak $500,000 or a million dollars out of a mainstream exchange in 2025. While crypto is 24/7, fiat transfers aren't. You can request to cash out and wire proceeds to your bank, but there's still a 24-72 hour hold before funds leave the exchange. This creates an opportunity to disrupt.
Because exchanges have real-time 24-hour incident response teams, the blockchain analytics community has global services and intelligence teams working 24/7, and law enforcement is doing the same, there's an ever-present opportunity to seize and disrupt. We announced early on that alongside Tether, we seized $100,000. While $100,000 out of 1.5 billion doesn't feel like much, doing that every few days takes money away quickly, and that adds up.
Bernard Leong: What's the one thing very few people know in cryptocurrency and national security intelligence when dealing with sanctioned groups?
Andrew Fierman: The most fascinating thing is comparing North Korea's complexity to other illicit groups, particularly sanctioned ones like terrorist organizations soliciting donations on Telegram or social media. Understanding that difference in complexity is fascinating.
With DPRK, we're talking about laundering funds through tens of thousands - by the time we're done, hundreds of thousands of wallets. Then on the other end, we have a terrorist organization sanctioned mid-last year for facilitating on behalf of Hamas. After they were sanctioned and their addresses seized, they got annoyed and tried to bridge funds with a new Ethereum wallet after receiving donations, but didn't even have the gas fees to facilitate the transaction.
The difference in complexity is remarkable. Other nation-states like Russia or Iran certainly have complexity - we've seen Iran and the Revolutionary Guard Corps launder money effectively at scales of hundreds of millions of dollars. But the unique differences between different sanctioned actors and how they utilize cryptocurrency are fascinating.
Bernard Leong: It would be a joke if they don't have enough gas to make transactions. Given increasing sophistication, what can cryptocurrency exchanges and companies do to bolster defenses against such threats? When I started in 2015, every transaction sent to a wallet is now monitored. It's difficult for these groups to off-ramp through exchanges. What else can exchanges do to improve defenses?
Andrew Fierman: One thing that's taken off is blockchain analytics. For those unfamiliar with how a blockchain analytics firm integrates with an exchange or financial institution: the analytics firm's goal is to map the crypto ecosystem, including wallets used to launder proceeds from this 1.5 billion hack. We map those in real-time, so when money moves, we tag it as "Bybit stolen funds." Any customer using our product who receives those funds gets an alert notification, allowing them to freeze and disrupt them.
The challenging aspect that every exchange and financial institution continues working on is KYC. People don't sign up as "Lazarus group laundering person #2." This is likely someone with falsified documentation operating in a permitted jurisdiction who may have done some trading before. Once they receive laundered Bybit hack funds, exchanges need to understand what other touchpoints that person has - other accounts with the same email or IP address - utilizing the full tech stack of metadata available in internet banking to ensure these hackers aren't sitting at your exchange waiting to receive funds.
The industry has come leaps and bounds, making it harder. The bigger the hack and more money at stake, the harder it is to get those funds off-ramped.
Sanctions and Alternative Financial Mechanisms
Bernard Leong: Let's discuss the 2025 Crypto Crime Report by Chainalysis. It highlights a shift where sanctioned states are increasingly utilizing stablecoins, CBDCs, and decentralized finance platforms to circumvent enforcement. Can you elaborate on how these alternative financial mechanisms are being leveraged for sanctions evasion?
Andrew Fierman: If you consider the value of stablecoins for a sanctioned nation or actor: when sanctioned, you can't utilize the US dollar in traditional banking. Because of the stability and global usage of the US dollar, it remains the primary trading currency. If you can't access it through traditional institutions, a stablecoin becomes an interesting option, giving you ability to utilize the US dollar equivalent.
The problem for them is that stablecoin issuers can freeze funds wherever they're located. You don't need to wait for funds to reach a centralized exchange that will respond to law enforcement. If you know funds in a wallet belong to a sanctioned person, stablecoin issuers can seize and disrupt.
We just saw this in the takedown of Guarantex, Russia's largest sanctioned cryptocurrency exchange. It facilitated tens of billions of dollars involving ransomware laundering and sanctions evasion for oligarchs. With one move, about 28 million in USDT was seized by Tether, and law enforcement took down their website - a one-two punch knocking them out.
For a sanctioned entity like Russia, where nearly every Russian bank has been sanctioned and subject to secondary sanctions, everyday Russians needing to move money looked to Guarantex, which used stablecoins. But now they've lost those stablecoins through seizure.
Bernard Leong: With countries like Russia passing legislation to support international crypto payments and aligning with nations like China and India, what challenges does this pose to traditional sanction frameworks? How are authorities adapting?
Andrew Fierman: Secondary sanctions play a unique role. If an entity is sanctioned, doing business with them can cause a fine or criminal liability. But interacting with someone subject to secondary sanctions means you could get sanctioned yourself, which doesn't apply when interacting with normally sanctioned entities. Secondary sanctions are really "the stick" - we're not just financially punishing you for doing business with these actors; you're subject to sanctions risk yourself.
Because all mainstream Russian financial institutions are subject to secondary sanctions, jurisdictions like China or India considering business with Russia in rupees or other non-US currencies will have second thoughts when secondary sanctions apply. These were applied across different aspects, including Guarantex.
While Russia has produced legislation to facilitate cryptocurrency for international business, I'm curious how that works in reality at scale. China was interested in doing business with Russia before secondary sanctions were implemented, which created a cooling effect. Plus, the issue with stablecoins means if you want something similar to the US dollar with international partners, you risk those funds being seized at any point in the transaction.
There's an opportunity, and it's not that it doesn't or can't happen. But most people don't want to conduct international trade with volatile assets. If you're selling oil at a discount and getting Bitcoin that drops 10% in a day, you're losing money due to currency volatility. It's yet to be seen how this would work at scale in reality.
Bernard Leong: As decentralized finance platforms persist and evolve, how are authorities and compliance tools adapting to close loopholes exploited by sanctioned states, where traditional banking controls become ineffective because they bypass traditional exchanges for decentralized ones?
Andrew Fierman: The regulatory framework around decentralized protocols and the DeFi ecosystem is still debated. Tornado Cash has been a hot button topic across the country. My take on the US government's sentiment is that mixing services and DeFi protocols can exist, but not for laundering hundreds of millions for North Korea.
This raises questions about solutions like IP blocking and automated controls for DeFi protocols to block certain wallet types. After the Tornado Cash designation, people sent Tornado Cash funds to Jimmy Fallon and Snoop Dogg's wallets in protest, tainting them with sanctioned entity exposure, potentially preventing them from using DeFi protocols or cashing out personal funds.
Bernard Leong: That's like the dusting attacks I see as a Coinbase wallet owner. Exchanges will recognize if you refuse to declare it as a dusting attack. But how are these illicit activities becoming more widespread where consumers can get involved in secondary sanction situations?
Andrew Fierman: Most government agencies understand that if you've been dusted with a few dollars, you're probably not a national security risk.
Bernard Leong: But that's what they did to Jimmy Fallon and everyone.
Andrew Fierman: Yes, Jimmy Fallon and Snoop Dogg, the national security risks in the United States! Just kidding. This is part of the growth process in the crypto ecosystem. I don't have a crystal ball for where compliance and regulation will land, but the sentiment exists. I read today that one protocol that had been used had taken fees from transfers, and there was a request to return those earned fees from the hack. The financing mechanism in crypto could use more clarification around regulatory boundaries and frameworks.
Bernard Leong: In this situation, what proactive measures can the crypto industry implement to enhance compliance and address illicit activities, specifically with evolving tech like DeFi and privacy coins? There have been proposals like Vitalik's privacy pools, and builders trying to develop protocols addressing industry issues.
Andrew Fierman: There are many possible approaches, ultimately requiring a balancing act on both sides. We've seen large exchanges off-board privacy coins like Monero. Some deal with mixers, some don't. How should exchanges treat funds from mixers? Perhaps zero-knowledge proofs could help validate that someone's source of funds was clean, and they're just mixing because they wanted to send money without revealing their wealth. There are endless possibilities where there could be more compliance and regulation alongside more freedom and opportunity to operate with mutual middle ground.
Future Developments and Closing
Bernard Leong: What question do you wish more people would ask you about sanctions and the crypto industry?
Andrew Fierman: Where am I going on my next vacation? No, I think it's "what's next?" As entities like Lazarus Group continue being creative, how will they go about it, and what's their next approach? These questions are constantly on my mind.
What I believe is next with North Korea is that the barrier to technology facilitating access points is lowering. If you wanted a fake passport 10 years ago, you had to use a darknet market and wait for physical mail. Today, people can create convincing deepfake passports for a few dollars to $50 that could pass KYC. For a few hundred dollars, you could set up AI voice and facial recognition to validate identity. Even if an exchange asks for a 10-second video holding today's newspaper with your passport, someone can make that happen with a few hundred dollars and appear to be Brad Pitt.
Access to this sophistication will challenge the industry in preventing North Korea from creating these entry points. The emerging threat is new technology and how our compliance programs and Web3 companies hiring remote employees conduct due diligence to verify information. Blockchain might be an answer with smart contracts validating identity.
Bernard Leong: But no one has implemented it yet.
Andrew Fierman: We're not there yet. There's no national repository confirming every citizen's identity.
Bernard Leong: I notice blockchain companies now do extensive background searches, even on developers they hire, fearing compromise. This changes how people discuss the industry versus 10 years ago when pseudonymous persons could join protocols. So my closing question: what does success mean for the crypto industry in fending off these sanctioned hacker groups?
Andrew Fierman: Part of it is learning from security breaches and ensuring strong security frameworks and due diligence processes for employees, so your organization isn't susceptible to security risks. I'd probably say for everyone: don't click on any email link ever.
Bernard Leong: I literally do that now. I go to the website separately and sometimes check in incognito mode.
Andrew Fierman: On the other side, continue building effective, active compliance programs that can disrupt a network immediately when law enforcement calls. Blockchain analytics firms should continue helping facilitate seizure, disruption, and return of funds. The transparency and immutability of the blockchain itself is a security measure - the fact that every transaction is visible and we're still tracking over 90% of 1.5 billion dollars after it's moved through tens of thousands of wallets.
Not all of that missing 10% has been cashed out - it includes fees, frozen funds, and some cash-outs. The industry is getting smarter and better, making incidents harder to execute, which hopefully someday deters even attempting them.
Bernard Leong: I look forward to days when cryptocurrency exchanges don't get hacked. Andrew, thanks for coming on the show and educating me on nuanced aspects of sanctions that normal people don't think about. In closing, any recommendations that have inspired you recently?
Andrew Fierman: The recommendation of the day is to read "The Lazarus Heist" by Jeff White if you want to know how currency and traditional banks have been exploited by North Korea. It reads like an action thriller.
Bernard Leong: How can my audience find you?
Andrew Fierman: Just on LinkedIn. Look me up by name. I'm not a crypto Twitter guy myself.
Bernard Leong: But you monitor crypto Twitter.
Andrew Fierman: Exactly.
Bernard Leong: Thanks for coming on the show. You can all subscribe to us on YouTube and Spotify. We are now on video and across all broadcast platforms. Drop us a note if there's anything you'd like to hear about. Andrew, thanks for coming on the show, and I look forward to speaking with you again.
Andrew Fierman: Thanks for having me, Bernard. I really appreciate it.
Podcast Information: Bernard Leong (@bernardleong, Linkedin) hosts and produces the show. Proper credits for the intro and end music: "Energetic Sports Drive" and the episode is mixed & edited in both video and audio format by G. Thomas Craig (@gthomascraig, LinkedIn). Here are the links to watch or listen to our podcast.
