The Federal Bureau of Investigation (FBI) has confirmed that North Korean hackers Lazarus have stolen approximately $1.5 billion from cryptocurrency exchange Bybit. This has now been labeled the largest crypto heist in history.
The attack, attributed to the state-sponsored APT hacking group known as TraderTraitor, Lazarus Group, and APT38, was executed by intercepting a scheduled transfer of funds from one of Bybit’s cold wallets to a hot wallet. This action allowed the attackers to redirect the assets to their own blockchain address.
Record-Breaking Crypto Heist: the Details
According to an FBI Public Service Announcement (PSA), the attack occurred on February 21, 2025, with the hackers swiftly converting part of the stolen assets into Bitcoin and other virtual currencies. These funds were dispersed across thousands of addresses on multiple blockchains to hinder tracking efforts. Investigators expect that the stolen cryptocurrency will undergo further laundering and eventually be converted into fiat currency.
Links to Lazarus Group and Past Attacks
Cybercrime investigator ZachXBT unearthed multiple links between the Bybit heist and previous hacks on Phemex, BingX, and Poloniex, all of which had been previously attributed to the Lazarus Group. His findings were corroborated by Elliptic and TRM Labs, two blockchain analysis firms that identified substantial overlaps between addresses controlled by the Bybit hackers and those linked to past North Korean cyber heists.
Methodology of the Attack
Bybit CEO Ben Zhou shared preliminary findings from cybersecurity firm Sygnia and financial security company Verichains, which traced the attack to the multisig wallet platform Safe{Wallet}. Investigations revealed that North Korean hackers gained access to a Safe{Wallet} developer machine, which in turn allowed them to compromise an account operated by Bybit. Safe Ecosystem Foundation confirmed this, stating that the attack involved a disguised malicious transaction that successfully infiltrated Bybit’s Safe infrastructure.
North Korean Hackers Have Stolen Billions in Crypto Assets
In response to the attack, the FBI urged cryptocurrency exchanges, DeFi platforms, blockchain analytics firms, and RPC node operators to block transactions originating from addresses used by North Korean hackers. The agency also shared 51 Ethereum addresses linked to the stolen assets, advising firms to take action in preventing further laundering attempts.
To put the magnitude of the Bybit heist into perspective, blockchain analytics firm Chainalysis reported that North Korean hackers stole $1.34 billion across 47 crypto heists in 2024. Elliptic further estimated that North Korea has stolen over $6 billion in crypto assets since 2017, with much of the proceeds allegedly funding the country’s ballistic missile program.
The Bybit attack marks a new high in crypto-related cybercrime, revealing the growing sophistication of state-sponsored cyber threats and the need for improved security measures within the cryptocurrency industry.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: