Security Week

FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge

Eduard Kovacs February 27, 2025

The FBI has confirmed that the Bybit hack was conducted by a North Korean group, just as more details have come to light about how the attack was carried out.

The Bybit hack, which resulted in the theft of nearly $1.5 billion worth of Ethereum cryptocurrency, was carried out on February 21. The attack was quickly linked to North Korean hackers, specifically the notorious Lazarus group.

In an alert published on Wednesday, the FBI said a threat actor it tracks as TraderTraitor, which the agency has been monitoring since 2022 for its attacks on blockchain companies, was behind the Bybit hack.

The FBI indicated in the past that TraderTraitor is a different name for the Lazarus group, but some members of the cybersecurity industry described it as a Lazarus campaign focusing on cryptocurrency attacks. The Lazarus group has also been known to conduct cyberespionage and destructive operations.

“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency,” the FBI said.

The FBI previously linked TraderTraitor to a $308 million cryptocurrency heist from Bitcoin.DMM.com.

The agency has published a list of cryptocurrency addresses known to have been used by the North Korean threat actor.

Bybit, which claims to be the world’s second-largest cryptocurrency exchange by trading volume, has launched a bug bounty program in an effort to recover the stolen funds, offering 5% of the recovered amount to the entity that manages to freeze the funds and 5% to those who helped trace the funds.

Advertisement. Scroll to continue reading.

However, only 3% ($42 million) of the stolen cryptocurrency has been frozen to date, which is the amount that was blocked soon after the hack came to light — it appears no other funds have been recovered since. Nearly $95 million are currently marked as ‘awaiting response’.

Bybit says it has paid out over $4 million in bounties to those who have helped track and freeze funds. The company noted that some cryptocurrency services have refused to cooperate.

“We have assigned a team to maintain and update this website, we will not stop until Lazarus or bad actors in the industry is eliminated,” said Ben Zhou, co-founder and CEO of Bybit. “In the future we will open it up [the bug bounty platform] to other victims of Lazarus as well.”

The cryptocurrency exchange has assured customers that their assets are backed and the company is solvent even if the stolen funds will not be recovered.

Bybit has hired Sygnia and Verichains to investigate the incident and the companies claim to have determined the root cause — the attack involved malicious code originating from Safe{Wallet} infrastructure (specifically an AWS S3 bucket) and there is no indication that Bybit’s own infrastructure was compromised.

Safe{Wallet}, a decentralized custody protocol and collective asset management platform, issued a statement confirming that it was targeted by Lazarus hackers, who compromised a Safe{Wallet} developer’s machine. The company pointed out that its smart contracts are not affected, and neither is the source code of the frontend and its services.

Based on the information available to date, it appears that the attacker replaced a benign Safe{Wallet} JavaScript file with malicious code on February 19. The malicious code, which targeted Bybit’s Ethereum cold wallet, was designed to activate during the next transaction, which occurred on February 21.

The malicious code manipulated the content of the transaction during the signing process, making it appear as if the funds were being transferred to the correct address when in reality they went to an address controlled by the hackers.

The attackers then quickly removed the malicious code from the Safe{Wallet} JavaScript file.

The 2025 Crypto Crime Report published by Chainalysis on Wednesday shows that cryptocurrency addresses known to have been used for illegal activities received — based on data collected to date — roughly $40 billion in 2024, but the amount is expected to increase to $51 billion once all the data is analyzed.