Bybit Loses $1.4 Billion in Crypto Theft Linked to North Korea

A significant crypto theft incident involving $1.4 billion stolen from the exchange Bybit has raised new concerns within the digital asset industry. According to data compiled by the exchange and security researchers, approximately $644 million in stolen funds—nearly half of the total—has vanished from traceable blockchain monitoring. These funds have been systematically routed through crypto mixing services, which are designed to obscure the source and destination of transactions. This development highlights how laundering methods are evolving, particularly with the continued use of services that have previously been sanctioned or claimed to be defunct.

The investigation also points to links with the North Korean hacking group TraderTraitor, which exploited a vulnerability in a developer’s laptop in early February. The exploit was enabled by malware posing as a stock investment simulator and led to the compromise of sensitive credentials. Bybit’s investigation reveals that $247.5 million (about 966 BTC) was routed through Wasabi Wallet, a privacy-focused Bitcoin wallet that uses CoinJoin to mix transactions. Another $94.1 million was moved through eXch, a lesser-known mixing service that had publicly announced its closure in April 2025. However, forensic experts have confirmed that eXch remains active through back-end APIs, allowing laundering to continue undetected by most standard monitors. Mixing services such as Tornado Cash and Railgun were also used, but to a lesser extent. TRM Labs confirmed that Tornado Cash was used to launder $2.5 million in Ethereum, while Railgun facilitated $1.7 million in Ethereum transactions. These services operate by pooling multiple users’ funds and redistributing them in a way that renders tracing nearly impossible. Analysts at TRM Labs described the laundering activity as “extremely difficult” to track due to the way transactions are bundled and redistributed.

eXch, in particular, has drawn significant attention due to its claim of shutting down in April. Crypto security researchers, including analysts at TRM Labs, have confirmed that the service’s backend is still operating. The persistence of eXch’s infrastructure, even after a public announcement of its closure, has added a layer of complexity to ongoing investigations. A major challenge for investigators is the complete opacity created by these mixers. Transactions become nearly impossible to follow once they enter these services. TRM Labs noted that because all incoming and outgoing funds are mixed together, it is not possible to identify individual users or addresses behind the transfers. This limits the effectiveness of blockchain transparency tools, even when forensic analysis is applied.

Further complicating the case is the alleged involvement of state-sponsored actors. Safe, a crypto wallet interface provider, published details in March 2025 indicating that the North Korean hacking group TraderTraitor was behind the original breach. The hackers gained access to Bybit funds after compromising a developer’s MacBook at Safe. The attack was carried out by embedding malware within a Docker file disguised as a stock investment simulator. Once executed, the malware connected to a suspicious domain and installed malicious scripts that extracted AWS session tokens. These tokens were then used to bypass multi-factor authentication and access Bybit’s backend systems. The breach occurred in early February and is among the largest cryptocurrency thefts in 2025. It has triggered renewed scrutiny from regulators and spurred debates around the vulnerabilities in Web3 infrastructure, especially developer endpoints and cloud access credentials.