FBI: North Korea-linked TraderTraitor is responsible for $1.5 Billion Bybit hack
February 27, 2025
The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
FBI links the recent Bybit hack to North Korea-linked group TraderTraitor as details of the $1.5B cyber heist emerge.
Last week, the crypto exchange Bybit suffered a sophisticated cyberattack, threat actors transferred over 400,000 ETH and stETH worth more than $1.5 billion to an unidentified address.
The Bybit hack is the largest cryptocurrency heist ever, surpassing previous ones like Ronin Network ($625M), Poly Network ($611M), and BNB Bridge ($566M).
The attack that masked the signing interface compromised Bybit’s ETH cold wallet, allowing threat actors to redirect funds to an unknown address.
“Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.” reads the statement published by the company on X. “As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”
Bybit’s security team, leading blockchain forensic experts, and partners are investigating the security breach. The company assures users and partners that all other cold wallets remain fully secure, client funds are safe, and operations continue without disruption. Maintaining transparency and security is a top priority, and the company will provide updates as soon as possible.
Bybit speculated that attackers likely exploited a vulnerability in the Safe.global platform’s user interface but shared no technical details.
Bybit CEO Ben Zhou assured customers that the exchange would remain solvent even if the stolen funds were not recovered. Bybit stated it has over $20 billion in assets under management and will use a bridge loan if needed to ensure user funds remain available.
Zhou also highlighted that all other cold wallets managed by the exchange are secure.
Blockchain cybersecurity firm Elliptic was among the first research teams that attributed the cyber heist to the notorious North Korea-linked APT Group Lazarus, however, Bybit has yet to confirm it.
“Almost $1.5 billion in crypto was stolen from Bybit today. That makes it by far the largest crypto heist of all time. It’s also potentially the largest single theft of any kind, ever.
We’re working to help exchanges and law enforcement to trace and freeze these funds. The more difficult we make it to benefit from crimes such as this, the less frequently they will take place.” said Elliptic Co-founder Tom Robinson. “*Update* It’s now been confirmed that North Korea’s Lazarus Group were behind this hack..”
Cybersecurity firm Arkham Intelligence also attributed the attack to the Lazarus APT group.
On Wednesday, the FBI published a Public Service Announcement that attributes the billionaire heist to the group TraderTraitor.
“The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as “TraderTraitor.”” reads the advisory. “TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.”
The FBI also published a list of Ethereum addresses that are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FBI)