The FBI has officially confirmed that North Korean state-sponsored hackers, known as Lazarus Group (APT38/TraderTraitor), were behind the $1.5 billion crypto heist at Bybit. Bybit crypto heist is the largest cryptocurrency theft ever recorded. I have already covered the Bybit heist in detail in a previous article.
The hackers intercepted a scheduled fund transfer from Bybit’s cold wallet to a hot wallet and redirected the assets to an address under their control.
“The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025,” the FBI said in a Public Service Announcement issued on Wednesday.
Following the attack, security analysts ZachXBT, Elliptic, and TRM Labs traced the stolen funds to Ethereum wallets previously linked to Lazarus Group’s past hacks.
Bybit CEO Ben Zhou later released cybersecurity reports from Sygnia and Verichains. These reports reveal that the attack originated through a compromised Safe{Wallet} developer machine. This allowed hackers to infiltrate Bybit’s multisig wallet infrastructure, ultimately enabling the theft.
The FBI has warned cryptocurrency platforms, RPC node operators, exchanges, DeFi services, and blockchain analytics firms to block transactions originating from addresses tied to North Korean hackers. The agency has also released 51 Ethereum addresses linked to the stolen Bybit assets to help curb further laundering efforts.
This $1.5 billion theft surpasses the total amount stolen by North Korean hackers in all of 2024—$1.34 billion across 47 heists. Since 2017, Elliptic estimates that Lazarus Group has stolen over $6 billion in crypto.
Also read
