One click, one bad update—and 2,000 bitcoin, roughly 200 million US dollars, vanished in seconds. The trail runs through wallets, mixers, DeFi protocols—and ends with the world’s most feared hackers: Lazarus, North Korea’s invisible cyber army. They’ve robbed banks, looted crypto exchanges, stolen billions. The FBI is convinced they act on direct orders from Kim Jong-un. According to UN reports, North Korea uses the loot to fund its illegal nuclear program. Now David is their victim too. “In a moment, it was all gone.” That’s how he described it in an interview with BTC-ECHO. “I now know firsthand how devastating it is to lose everything you’ve spent ten years building.” David wants to remain anonymous. He only reveals his first name. For over a decade, he accumulated, traded, multiplied bitcoin—as a shield for his family and future. Suddenly, the digital fortune was wiped out.
He had only meant to handle a routine step: a proof-of-funds process that regulated platforms require for large withdrawals. For that, he turned to blockchain forensics expert Albert Quehenberger. “We just wanted to sign a message in his wallet to prove he really owned it,” Albert says. But the signature kept failing. At first he suspected a technical glitch. When he ran the wallet address through his analysis tools, the result was stark: no balance. What looked like an error was an abyss. While David’s daughter switched on a disco ball and happily played in the background of their video call, Albert discovered the wallets were empty—1,994 bitcoin missing in total. “At first we couldn’t believe it,” he says. “It was supposed to be about 20 bitcoin. Suddenly we were staring at a theft of nearly 2,000.”
The investigators’ trail points to North Korea
Albert began tracing the transactions in detail. When you send bitcoin, you technically spend the entire input of a wallet. The intended amount goes to the recipient; the remainder returns automatically to a newly generated change address. In common on-chain analysis tools this looks routine—an everyday mechanism that usually raises no suspicion. David’s case was different: there was no change coming back. Instead, the coins disappeared into a peel chain—an obfuscation method where a large sum is split step by step into many smaller transactions that pass through a chain of addresses. Outwardly it looks like a harmless series of payments; in reality, it’s designed to blur the trail. In context, this was a clear red flag: the bitcoin were systematically moved out of reach.
Normally, that pattern is harmless. Here: nothing. The coins were gone—forwarded to wallets, split up, concealed. The trail led to mixing services like CoinJoin and Wasabi Wallet. DeFi platforms appeared too: once, 8.36 bitcoin were swapped into 8,000 litecoin; another time into USDT, wrapped ether, and back into wrapped bitcoin. Then came the find that changed everything: a wallet that had already been flagged—with links to Lazarus. The overall pattern looked eerily familiar as well: the hallmarks of a group that has stolen billions multiple times.
“If the Lazarus suspicion proves true, it becomes extremely challenging,” says Albert. “Official trips for investigators to North Korea are out of the question; reliable diplomatic channels effectively don’t exist.”
The shadow army from Pyongyang
The Lazarus Group is considered an invisible army working for the North Korean regime. Intelligence services see it as one of the world’s most dangerous cyberweapons. Its first attacks date back to 2009. Today, the collective is believed to consist of several thousand hackers organized into subunits—for industrial espionage, disruption, and financial theft. Their list of coups is long: the Ronin Bridge hack against Axie Infinity with more than 600 million dollars lost, attacks on international banks, billion-dollar thefts from crypto exchanges. Every year they inflict damage of astronomical proportions on the global economy. And the myth grows: stories circle like legends about hackers sitting in underground bunkers in Pyongyang.
Everything suggests David became a target too—not by brute force, but by one of their preferred weapons: social engineering. The hackers waited patiently for their chance. “This wasn’t a simple phishing attempt,” Albert explains. “The attackers used contacts David had made at ETHDenver. One Zoom link was enough—and the supposed update installed malware. From that moment, they had free access to his wallets.” David confirms: “The invitation came from people I’d met at the conference. I suspected nothing. The link was real—but it triggered an update that brought the malware onto my computer.”
Investigators now believe it wasn’t just an infected link, but a targeted man-in-the-middle attack. When Zoom attempted to apply an update during the session, compromised servers were inserted to deliver a tampered package. That gave the hackers direct access—a method that fits Lazarus to a tee: slow, patient, precise
Counterattack with the FBI and an on-chain message
What do you do when nearly 2,000 bitcoin vanish? Albert and David chose a two-pronged strategy. First, they involved the authorities. The FBI officially opened a case in August 2025; Interpol and national police agencies were also engaged. “We’re talking about almost 200 million euros,” Albert says. “There’s an obvious public interest in acting on a case like this.”
At the same time, they tried the impossible: appealing to the hackers’ conscience directly. The Bitcoin blockchain makes that possible. “We sent the attackers an on-chain message,” Albert explains. A transaction carried a few satoshis—tiny fractions of a bitcoin—and in the data field a note: return the coins. Keep 5 to 10 percent as a reward. David will forgo legal action. A seven-day deadline. No response came.
“The wallets are on international watchlists. Every move triggers alerts,” says Albert. “As soon as these bitcoin head toward a regulated platform, compliance has to react: activity is logged end to end, KYC/AML checks fire, accounts are frozen on suspicion, withdrawals are stopped, and identity data is secured. The blockchain is absolutely transparent.”
Between shock and hope
For David, the loss was more than financial. “I was devastated. More than ten years of work—suddenly wiped out. I thought my life was secured. Then I had to think about starting from zero again.” He knows others who saw no way out after similar losses. “A friend of mine took his own life last year after he lost his coins. That’s exactly why I want to speak—so others are warned.”
His faith helped him not to give up. “Money isn’t everything. You can’t take it with you. I trust that God can bring something good out of what the enemy meant for evil.” Today, David seems composed, almost calm. “I feel strong again. I believe this story will help others in the end.”
Albert remains sober: “If it really is Lazarus, it’s going to be damn difficult. These people know how to cover their tracks. But we’ve put measures in place and brought in the authorities. At some point the coins have to surface—and when they do, we’ll be ready.”
