
The U.S. Federal Bureau of Investigation has confirmed that North Korea was behind the theft of $1.5 billion worth of digital tokens from cryptocurrency exchange firm Bybit last week. This is thought to be the biggest crypto heist of all time.
The FBI’s PSA about this “TraderTraitor” attack
In a Public Service Announcement, the FBI referred to the attack as “TraderTraitor,” a malicious campaign linked to North Korean state-sponsored hackers targeting cryptocurrency firms. “TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” it said.
The FBI expected the stolen assets to be laundered and eventually converted to “fiat currency” — money issued by a government that is not backed by a physical commodity like gold or silver. It also provided a list of Ethereum addresses the threat actors have used or are using to launder the stolen assets, which it recommends crypto organisations block.
How the crypto was stolen from Bybit and its response to customers
The crypto was taken during a routine internal transfer from its Ethereum coin “cold wallet,” a digital wallet typically stored offline and considered more secure, according to Bybit CEO Ben Zhou. The attacker exploited vulnerabilities in the transaction to gain access to the cold wallet, and then transferred about 401,000 ETH to an unidentified address. After the theft, the value of Ethereum fell by around 4% on Friday, leaving it worth $2,641.41 per coin.
SEE: Deepfakes Can Fool Facial Recognition on Crypto Exchanges
The scale of the Bybit theft surpasses the previous record crypto heist, involving the theft of $615 million of Ethereum and U.S. coins from the Ronin Network in 2022. It also exceeds the largest known non-crypto heist; Saddam Hussein’s 2003 theft of $1 billion in assets from the Iraqi Central Bank.
Zhou wrote on X Sunday that Bybit has replenished its reserves since the incident through a mix of emergency loans and large deposits. The company also told clients that their funds were “safe,” and it would refund anyone affected.
Bybit was founded in 2018 and reportedly counts President Donald Trump and former PayPal chief Peter Thiel among its early investors. The company says it has more than 60 million users worldwide and offers access to various cryptocurrencies.
Lazarus Group suspected as responsible for the theft
The Lazarus Group, a hacking organization under North Korea’s Reconnaissance General Bureau, has been identified by blockchain security experts. Blockchain analyst ZachXBT provided evidence to the blockchain analytics platform Arkham linking the attack to Lazarus, citing patterns consistent with recent North Korean cyberattacks in a post for TRM Labs.
Lazarus has been active since about 2009 and has been responsible for a number of high-profile cyber attacks, including the 2017 Wannacry ransomware outbreak, which infected over 300,000 computers worldwide and caused significant disruption to the U.K.’s NHS. Estimates indicate that it cost the NHS £92 million due to disruptions in patient care. The group continues to develop new forms of malware to help it avoid detection.
SEE: Ransomware Cheat Sheet: Everything You Need To Know
ZachXBT also linked Lazarus’ Bybit hack to a January attack on another cryptocurrency exchange called Phemex, which lost at least $69 million, according to The Record.
North Korea has been accused of multiple hacks of cryptocurrency exchanges to steal digital assets, launder the funds, and use them to finance its nuclear weapons program. In 2024, North Korean hackers stole a record $1.3 billion in digital assets, nearly doubling the $660 million they took in 2023.
Cryptocurrency has become a preferred method for money laundering by criminals to cleanse their illicit funds.
The authors of this news story are TechnologyAdvice staff writer Fiona Jackson and contributing writer Esther Shein.