FBI Confirms North Korean Hackers Stole $1.5 Billion in Bybit Heist
The FBI has officially linked the recent Bybit cryptocurrency exchange hack to TraderTraitor, a North Korean hacking group believed to be part of the notorious Lazarus Group. The $1.5 billion theft, which ranks among the largest crypto heists in history, underscores North Korea’s continued reliance on cybercrime to fund its regime.
Table of Contents
How the Bybit Hack Unfolded
The attack occurred on February 21, 2025, when hackers successfully infiltrated Bybit’s Ethereum cold wallet. Investigators determined that the breach originated from Safe{Wallet}, a decentralized custody platform. The hackers managed to compromise a Safe{Wallet} developer’s machine, allowing them to inject malicious code into a JavaScript file.
The Malicious Code Attack
On February 19, the attackers secretly modified Safe{Wallet}’s JavaScript code, setting the stage for the heist. The malicious code remained dormant until a legitimate transaction was processed by Bybit on February 21. During the transaction signing process, the code altered the recipient address, redirecting the funds to a hacker-controlled wallet.
Once the theft was complete, the attackers quickly removed the malicious code, covering their tracks and making detection more difficult.
FBI Confirms Lazarus Group’s Involvement
The FBI issued an official alert on Wednesday, stating that TraderTraitor, a subgroup of Lazarus, was responsible for the attack. The agency has been monitoring TraderTraitor since 2022 due to its ongoing cyberattacks on blockchain and cryptocurrency companies.
How the Stolen Crypto is Being Laundered
According to the FBI, the stolen Ethereum is being rapidly converted into Bitcoin and other virtual assets. The hackers are using thousands of blockchain addresses to obfuscate the movement of funds before ultimately converting them into fiat currency.
This isn’t Lazarus’ first major crypto heist—the group was previously linked to a $308 million theft from Bitcoin.DMM.com and numerous other cybercrimes.
Bybit’s Efforts to Recover the Stolen Funds
Bybit, which claims to be the world’s second-largest crypto exchange by trading volume, has launched a bug bounty program to incentivize fund recovery. The program offers:
- 5% of the recovered funds to any entity that successfully freezes the stolen crypto.
- 5% to individuals or teams who help trace the stolen assets.
Current Status of Recovery Efforts
Despite these efforts, only $42 million (3% of the stolen funds) has been frozen so far. Another $95 million remains "awaiting response" from various cryptocurrency services, but no additional funds have been recovered.
Bybit has paid out over $4 million in bounties to those assisting in tracking and freezing the stolen assets. However, some crypto services have refused to cooperate, slowing recovery efforts.
Bybit Assures Users of Financial Stability
Amid concerns over the massive theft, Bybit CEO Ben Zhou has reassured customers that the company remains solvent and that user assets are fully backed. “We will not stop until Lazarus and other bad actors in the industry are eliminated,” Zhou stated. He also announced plans to open Bybit’s bug bounty platform to other victims of Lazarus Group in the future.
Crypto Crime on the Rise
The Bybit hack is just one part of a larger trend in cryptocurrency crime. A 2025 Crypto Crime Report from Chainalysis, published on Wednesday, revealed that known crypto-related criminal addresses received at least $40 billion in illicit transactions in 2024. This figure is expected to increase to $51 billion once all data is analyzed.
The Bybit hack underscores the growing threat of North Korean cybercrime, particularly against cryptocurrency platforms. While efforts to track and recover the stolen funds continue, the incident highlights the urgent need for stronger security measures across the blockchain industry.
With Lazarus Group and TraderTraitor still actively targeting crypto assets, exchanges and investors must remain vigilant, employing robust cybersecurity protocols to protect against increasingly sophisticated attacks.