North Korea's Lazarus Group Strikes Again: $1.5 Billion Crypto Heist on Bybit

The Federal Bureau of Investigation (FBI) has attributed the recent $1.5 billion exploit on Bybit to North Korean threat actors, specifically the Lazarus Group. In a Feb. 26 Public ServicePEG-- Announcement (PSA), the agency linked the attack to TraderTraitor, a malicious cyber campaign involving malware-infested applications disguised as crypto trading and price prediction tools.

The FBI reported that the stolen funds are being laundered, with attackers converting portions of the assets into Bitcoin and dispersing them across multiple blockchain networks. The agency expects the funds to eventually be exchanged for fiat currency through illicit channels. To counter this, the FBI released a list of flagged blockchain addresses linked to the hackers and urged virtual asset service providers to block transactions associated with these addresses.

This attack illustrates North Korea's growing success in using cybercrime to finance state operations. The Lazarus Group, a notorious government-backed hacking unit, has been behind several major digital asset heists. The FBI noted that Lazarus Group is responsible for several previous attacks on crypto platforms, including the attacks on Horizon Bridge in June 2022 and Ronin Bridge in March 2022. Reports indicate that North Korean hackers stole more than $1.3 billion in digital assets in 2024, far surpassing the $660 million taken in 2023.

Both Bybit and Safe have confirmed that the North Korean hacking group Lazarus Group was responsible for the attack. A developer machine was compromised, allowing the hackers to trick owners of a multisig cold wallet into signing a malicious transaction. Safe stated that the team has fully rebuilt and reconfigured all infrastructure, ensuring the attack vector is fully eliminated. ByBit also confirmed that the majority of its assets held with Safe have been withdrawn from vaults to protect against any further vulnerability.