The Federal Bureau of Investigation (FBI) has officially confirmed that North Korea-backed cybercriminals, specifically the Lazarus Group, orchestrated the recent $1.5 billion exploit on cryptocurrency exchange Bybit.
North Korea’s Role in the Attack
In a Public Service Announcement (PSA) released on February 26, the FBI attributed the attack to TraderTraitor, a malicious cyber campaign operated by North Korean state-sponsored hackers. TraderTraitor is a malware-infested software disguised as crypto trading and price prediction tools, often built using JavaScript and the Electron framework. The malicious applications originate from open-source projects and are designed to deceive victims with well-crafted websites and fake features.
Laundering of Stolen Funds
The FBI reported that the stolen funds are already in the process of being laundered. The attackers have converted a portion of the assets into Bitcoin and dispersed them across multiple blockchain networks. Eventually, these funds are expected to be converted into fiat currency through illicit channels.
To mitigate further laundering, the FBI published a list of flagged blockchain addresses associated with the hackers. The agency urged virtual asset service providers, including cryptocurrency exchanges, DeFi platforms, and blockchain analytics firms, to block transactions involving these addresses.
Blockchain analysis firm SpotOnChain had previously identified that the hackers laundered 100,000 ETH—valued at approximately $250 million—in less than four days. The firm noted that the laundered assets account for 20% of the stolen 499,000 ETH. The cybercriminals have been actively dispersing funds across multiple addresses and leveraging THORChain for cross-chain swaps into Bitcoin, DAI, and other cryptocurrencies.
North Korea’s Expanding Cyber Threat
The Bybit attack is yet another instance of North Korea’s growing reliance on cybercrime to finance state operations. The Lazarus Group, a state-backed hacking collective, has been responsible for some of the largest crypto heists in history.
The FBI highlighted that Lazarus was behind previous major attacks, including the Horizon Bridge hack in June 2022 and the Ronin Bridge attack in March 2022. Reports indicate that North Korean hackers stole more than $1.3 billion in digital assets in 2024, nearly doubling the $660 million stolen in 2023. Analysts suggest that these funds are used to support North Korea’s nuclear weapons program, enabling the regime to bypass international sanctions.
Bybit and Safe Confirm the Attack
Both Bybit and Safe have confirmed to CryptoSlate that the Lazarus Group was responsible for the attack. According to the investigation, a developer machine was compromised, allowing hackers to manipulate the owners of a multisig cold wallet into approving a malicious transaction.
Safe has since taken immediate action to secure its infrastructure. The company announced:
“The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.”
Bybit also confirmed that most of its assets held with Safe have been withdrawn from vaults to prevent further vulnerabilities.
The FBI’s confirmation of North Korea’s involvement in the Bybit hack highlights the increasing sophistication of state-sponsored cybercrime. As authorities and crypto firms work to enhance security measures, the incident underscores the ongoing risks faced by digital asset platforms and the broader implications of cyber theft on global financial security.
