When UK-registered exchanges become targets: How Lazarus strikes again in crypto security crisis

North Korea’s state-sponsored cyber operatives have been directly attributed to a devastating $22.8 million theft that dismantled UK-registered cryptocurrency platform Lykke, according to British Treasury sanctions authorities. The assault on the Swiss-based trading venue represents yet another chapter in Pyongyang’s systematic campaign to infiltrate digital asset platforms worldwide—generating billions in stolen cryptocurrency to circumvent international sanctions and bankroll weapons development.

How the attack unfolded and what was lost

The Treasury’s Office of Financial Sanctions Implementation (OFSI) formally connected the Democratic People’s Republic of Korea’s cyber actors to the massive breach. Lykke suffered significant losses across multiple blockchain networks, with Bitcoin (BTC) and Ethereum (ETH) forming the core of stolen assets. The platform, which operated from Switzerland’s Zug region while maintaining UK registration under founder Richard Olsen, had distinguished itself through a zero-fee trading model—a competitive advantage that ultimately couldn’t shield it from sophisticated state-level cyber operations.

Following the intrusion, the exchange suspended trading operations and eventually ceased functioning entirely. The incident forced the Swiss parent company into liquidation proceedings while leaving Olsen—great-grandson of Julius Baer banking dynasty—facing personal bankruptcy and concurrent criminal investigations in Switzerland.

Independent research corroborates the attribution

Israeli cybersecurity research organization Whitestream independently verified the Lazarus connection, tracing additional evidence of how attackers channeled stolen funds through cryptocurrency intermediaries designed to obscure transaction trails and bypass anti-money-laundering safeguards. However, some security researchers have publicly questioned whether existing forensic evidence sufficiently establishes definitive attribution, highlighting the complexity of blockchain-based attribution analysis.

Legal aftermath and investor consequences

The damage extended beyond operational shutdown. Over 70 customers initiated winding-up petitions in UK courts, collectively claiming £5.7 million in losses from the platform’s collapse. The Financial Conduct Authority had already issued caution notices about Lykke in 2023, cautioning that the firm operated without proper UK regulatory authorization to conduct financial services.

Despite management assurances regarding customer fund recovery, the frozen trading status transformed into permanent closure by December. Richard Olsen’s January bankruptcy declaration compounds the recovery challenges facing affected investors navigating the liquidation process.

What this reveals about exchange vulnerabilities

The Lykke incident underscores a critical industry vulnerability: UK-registered and internationally-positioned platforms remain high-value targets for state-backed cyber actors. Lazarus Group’s documented attack pattern demonstrates how criminal cyber operations systematically probe exchange security infrastructure, often exploiting vulnerabilities at smaller or less-fortified trading venues. The group’s operational success—culminating in multibillion-dollar cryptocurrency thefts across years—illuminates why institutional-grade security architecture and regulatory compliance represent non-negotiable requirements in modern digital asset trading.

The broader implication: as North Korea continues leveraging cyber theft to circumvent economic isolation, the cryptocurrency ecosystem faces ongoing pressure to strengthen defenses and implement more sophisticated detection mechanisms before attacks reach critical infrastructure.