BitoPro says forensic findings from its May 9, 2025 cryptocurrency theft showed no internal personnel involvement and that the tradecraft resembled incidents attributed to North Korea’s Lazarus Group. The attackers socially engineered a cloud operations employee, implanted malware, bypassed endpoint and cloud detections, and hijacked AWS session tokens to defeat MFA. From the AWS environment, they used C2-delivered scripts to reach the hot wallet host, waited for a wallet upgrade and asset-transfer window, and simulated legitimate transactions to move cryptocurrency. The case highlights how cloud credential abuse, operational surveillance, and maintenance-window timing can expose virtual asset platforms and financial institutions.