Bybit lost $1.5B in a cyberattack linked to North Korean hackers. The breach stemmed from a compromised Safe{Wallet} developer machine.
On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, was hit by a massive cyberattack, leading to the theft of around USD 1.5 billion in Ethereum ETH $1 793 24h volatility: 0.1% Market cap: $216.35 B Vol. 24h: $14.73 B tokens. This breach has set a new record as the largest exploit in crypto exchange history, surpassing previous breaches and drawing attention to the growing sophistication of cybercriminals.
For context, North Korea has been responsible for a significant portion of cryptocurrency thefts, with estimates indicating that the country stole around USD 800 million in digital assets in 2024 alone. These attacks, which were far larger than those of other hackers, underscore North Korea’s focus on high-profile, large-scale operations aimed at maximizing impact.
FBI Confirms North Korean Hackers Behind Bybit Theft
The FBI has confirmed that North Korean hackers were behind the theft from the cryptocurrency exchange Bybit on February 21st, marking the largest recorded crypto heist to date.
In response, the FBI has advised RPC node operators, exchanges, DeFi platforms, and blockchain analytics firms to block transactions from addresses associated with the North Korean hackers to prevent further laundering of the stolen assets.
The hacking group, known as TraderTraitor, Lazarus Group, and APT38, intercepted a scheduled transfer from Bybit’s cold wallet to a hot wallet, rerouting the cryptocurrency to a blockchain address they controlled.
In a Public Service Announcement, the FBI mentioned that the attackers, identified as TraderTraitor, have rapidly converted some of the stolen funds into Bitcoin and other virtual assets, spreading them across thousands of addresses on multiple blockchains. They warned that these assets would likely be further laundered before being converted to fiat currency.
Following the incident, crypto fraud investigator ZachXBT traced several connections to the notorious Lazarus Group, a North Korean hacking group, after finding that some of the stolen Bybit funds were transferred to an Ethereum address previously linked to hacks on exchanges such as Phemex, BingX, and Poloniex.
Bybit’s Post-Mortem and Safe{Wallet} Breach
On Wednesday, Bybit CEO Ben Zhou released initial post-mortem reports from Sygnia and Verichains, two cybersecurity and finance security firms, which indicated that the attack stemmed from infrastructure operated by Safe{Wallet}, a multisig wallet platform.
Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW— Ben Zhou (@benbybit) February 26, 2025
The Safe Ecosystem Foundation confirmed the findings, revealing that the hackers initially breached a Safe{Wallet} developer’s machine, granting North Korean hackers access to a Bybit-operated account.
— Safe.eth (@safe) February 26, 2025
According to the investigation, the Lazarus Group exploited the compromised developer machine to create and propose a disguised malicious transaction that led to the breach. Plus, U.S. federal law enforcement provided a list of 51 Ethereum addresses involved in the laundering of the stolen Bybit funds, all traced back to the Lazarus hackers.
next