FBI Links Record-Breaking $1.5 Billion Bybit Hack to North Korean Threat Actors

The U.S. Federal Bureau of Investigation (FBI) has officially attributed the massive $1.5 billion cryptocurrency heist from Bybit to North Korean state-sponsored hackers, marking it as the largest digital asset theft in history. The agency identified the responsible group as TraderTraitor, also tracked under different names, including Jade Sleet, Slow Pisces, and UNC4899.

Bybit CEO Ben Zhou has publicly declared a “war against Lazarus”, referencing the Lazarus Group, a well-known North Korean cybercrime organization suspected to be behind the attack.

North Korean Hackers Behind the Attack

The FBI's investigation revealed that TraderTraitor actors have rapidly converted stolen assets into Bitcoin and other cryptocurrencies, dispersing them across thousands of blockchain addresses. This laundering process is a common tactic to obfuscate asset origins before converting them into fiat currency.

The TraderTraitor cluster was previously implicated in a $308 million hack on Japanese cryptocurrency exchange DMM Bitcoin in May 2024. The group is notorious for targeting Web3 companies through:

• Malware-laced cryptocurrency applications to steal user credentials and assets.

• Social engineering tactics, including fake job offers, to trick victims into downloading malicious files.

• Supply chain attacks, injecting malware into trusted software and services.

Bybit's Response and Efforts to Recover Funds

Bybit has launched an industry-wide bounty program to recover stolen funds and is urging cooperation from global exchanges, blockchain analytics firms, and law enforcement agencies. The company accused eXch, a cryptocurrency trading platform, of refusing to cooperate in freezing the stolen assets.

"The stolen funds have been transferred to untraceable or freezeable destinations, such as mixers, bridges, and exchanges, and converted into stablecoins that could be frozen,” Bybit said in a statement. “We require full cooperation to trace or halt these transactions.”

Technical Analysis of the Attack

Two cybersecurity firms, Sygnia and Verichains, conducted separate investigations, both pointing to Lazarus Group as the primary perpetrators.

• Sygnia's analysis suggests the root cause was malicious code originating from Safe{Wallet} infrastructure, which played a crucial role in the attack.

• Verichains' report revealed that a benign JavaScript file on app.safe.global was replaced with malicious code on February 19, 2025, precisely targeting Bybit's Ethereum Multisig Cold Wallet.

The attack triggered on February 21, 2025, during the next Bybit transaction, indicating a well-planned operation. It is suspected that AWS S3 or CloudFront credentials for Safe{Wallet} were compromised, enabling a supply chain attack.

Safe{Wallet}'s Response

Multisig wallet provider Safe{Wallet} confirmed that the breach stemmed from a compromised developer machine, which allowed attackers to insert malicious transaction proposals. Safe{Wallet} has since implemented additional security measures to prevent further compromises.

"Lazarus is a state-sponsored North Korean hacker group known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits,” Safe{Wallet} said.

North Korea’s Expanding Cybercrime Network

Further analysis by Silent Push uncovered a domain linked to the attack, bybit-assessment[.]com, registered on February 20, 2025—just hours before the heist. The WHOIS records linked it to an email address previously used in North Korea's Contagious Interview campaign, another Lazarus-backed operation.

North Korean cybercriminals have stolen over $6 billion in cryptocurrency since 2017, financing the regime’s military and weapons programs. The $1.5 billion Bybit hack now surpasses the total $1.34 billion stolen in 47 separate cryptocurrency hacks throughout 2024.

The Growing Threat of North Korean Crypto Heists

Lazarus and its affiliates continue to evolve their tactics, leveraging fake job offers, malware-laced applications, and supply chain attacks to infiltrate financial networks. The FBI, along with global cybersecurity firms, is actively tracking and countering their operations.

As cybercriminals become more sophisticated, experts stress the importance of proactive security measures, robust compliance frameworks, and international cooperation to mitigate threats posed by state-backed hackers.