The FBI has confirmed that North Korean hackers, linked to the notorious Lazarus Group, executed a monumental cyber heist, stealing approximately $1.5 billion from the cryptocurrency exchange Bybit. This incident marks the largest recorded theft in the cryptocurrency sector to date.
### Overview of the Heist
The state-sponsored hacking group, also known by the designations TraderTraitor and APT38, orchestrated their attack by intercepting a scheduled transfer of funds from Bybit’s cold wallet—a secure repository for cryptocurrencies—to a hot wallet used for active trading. Following this interception, the hackers redirected the cryptocurrency to addresses under their control on the blockchain.
In a Public Service Announcement (PSA) issued on Wednesday, the FBI urged vigilance, stating, “The Federal Bureau of Investigation (FBI) has determined that the Democratic People’s Republic of Korea is responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025.”
### Laundering the Stolen Assets
Following the theft, the TraderTraitor group rapidly converted various portions of the stolen cryptocurrency into Bitcoin and other virtual currencies, dispersing them across thousands of addresses on multiple blockchain networks. This strategy is in line with established tactics aimed at laundering stolen assets to obfuscate their origins, ultimately facilitating conversion to fiat currency.
Crypto fraud investigator ZachXBT uncovered critical links connecting the stolen assets to the Lazarus Group through the transfer of some Bybit funds to an Ethereum address previously associated with earlier hacks of Phemex, BingX, and Poloniex. Blockchain analysis firms, including Elliptic and TRM Labs, corroborated these findings, indicating substantial overlaps between the addresses utilized in the Bybit heist and those linked to prior North Korean cyber thefts.
### Source of the Breach
On the same day, Bybit’s CEO, Ben Zhou, disclosed preliminary forensic analyses from cybersecurity experts at Sygnia and finance security firm Verichains, revealing that the attack traced back to infrastructure operated by the multisig wallet platform, Safe{Wallet}. The Safe Ecosystem Foundation confirmed these findings, detailing that the breach occurred when North Korean hackers compromised a Safe{Wallet} developer’s machine, gaining unauthorized access to an account belonging to Bybit.
The investigation concluded that the Lazarus Group’s targeted attack exploited vulnerabilities in the Safe{Wallet} environment, resulting in a covert malicious transaction proposal.
### Mitigation Efforts
In response to the massive breach, the FBI has issued urgent advisories to various cryptocurrency stakeholders, including RPC node operators, exchanges, bridging services, decentralized finance (DeFi) platforms, and blockchain analytics firms. They are urged to ban transactions from addresses known to be associated with the North Korean hacking efforts to thwart the laundering of the stolen assets.
Additionally, the FBI released a list of 51 Ethereum addresses linked to cryptocurrencies stolen in the Bybit incident, facilitating the tracking and identification of these assets.
### Context and Implications
To provide context for the magnitude of this heist, blockchain analysis company Chainalysis reported that North Korean hackers had previously amassed $1.34 billion through 47 different crypto heists in 2024 alone. Moreover, Elliptic has revealed that since 2017, these hackers have reportedly stolen over $6 billion in crypto assets, with significant portions of these proceeds allegedly financing North Korea’s ballistic missile program.
The enormity of the Bybit breach underscores the growing sophistication of state-sponsored cybercriminal operations and highlights the pressing need for robust cybersecurity measures across both cryptocurrency exchanges and blockchain service providers. Given the evolving threat landscape, stakeholders are reminded to adopt best practices in cybersecurity, engage in regular security audits, and cultivate an adaptive incident response strategy to mitigate risks associated with such attacks.