The FBI (Federal Bureau of Investigation) has confirmed that the massive $1.5 billion hack of Bybit is connected to North Korean hackers, with Bybit CEO Ben Zhou announcing a “war against Lazarus.” to the agency, the Democratic People’s Republic of Korea (North Korea) is behind the theft of cryptocurrency assets from the exchange, with the hack attributed to a group known as TraderTraitor, also identified as Jade Sleet, Slow Pisces, and UNC4899.
The FBI revealed that the TraderTraitor group is swiftly moving stolen assets, converting them into Bitcoin and other cryptocurrencies, and spreading them across thousands of blockchain addresses. These assets are expected to be further laundered and eventually exchanged for fiat currencies. Notably, the TraderTraitor group was implicated in a $308 million cryptocurrency theft from the DMM Bitcoin exchange in May 2024, which was tracked by U.S. and Japanese authorities.
This group is infamous for targeting Web3 companies, using deceptive tactics like luring victims into downloading malicious cryptocurrency applications to facilitate theft. They have also been known to carry out social engineering campaigns involving fake job offers, leading to the distribution of malicious npm packages.
In response to the attack, Bybit has launched a bounty program to track down the stolen funds. The exchange criticized eXch for not cooperating in freezing the assets involved in the hack. Bybit explained that the stolen funds were moved to locations like exchanges, mixers, or bridges, where they could not be traced or frozen. The exchange emphasized the need for cooperation from all parties to either freeze the stolen funds or provide updates on their movement to help with the investigation.
Bybit has shared the results of two independent investigations, one by Sygnia and another by Verichains, both pointing to the Lazarus Group as the perpetrators. The Sygnia report indicated that the attack was initiated via malicious code from Safe{Wallet}’s infrastructure.
Verichains further discovered that the benign JavaScript file from Safe{Wallet}’s app.safe.global was replaced with malicious code on February 19, 2025, specifically targeting Bybit’s Ethereum Multisig Cold Wallet. This malicious code was designed to activate during a Bybit transaction on February 21, 2025. It is believed that Safe{Wallet}’s AWS S3 or CloudFront API key was either leaked or compromised, enabling the supply chain attack.
In a statement, Safe{Wallet} clarified that the attack originated from a compromised developer machine at Safe{Wallet}, which affected an account managed by Bybit. The company stated that it has taken extra precautions to prevent further breaches through this vector.
The hack was carried out by exploiting a developer’s machine to propose a malicious transaction under the guise of a legitimate one. Lazarus, a North Korean state-sponsored hacker group, is known for sophisticated social engineering attacks aimed at developer credentials, sometimes coupled with zero-day exploits. The exact method of how the developer’s system was breached remains unclear.
Silent Push, in its analysis, uncovered that the Lazarus Group registered the domain bybit-assessment[.]com at 22:21:57 UTC on February 20, 2025, just hours before the cryptocurrency theft occurred. WHOIS records revealed that the domain was registered using an email address previously linked to the Lazarus Group in connection with another operation called Contagious Interview.
Silent Push noted that the Bybit hack was conducted by the DPRK hacker group TraderTraitor, which is also known as Jade Sleet and Slow Pisces. The same group was involved in the crypto interview scam led by another DPRK hacker group, Contagious Interview, also known as Famous Chollima. This group typically approaches victims via LinkedIn, where they are tricked into participating in fake job interviews. These interviews are used as an entry point for deploying malware, harvesting credentials, and compromising financial and corporate assets.
Since 2017, North Korean-linked hacking groups have stolen more than $6 billion in cryptocurrency assets. The $1.5 billion stolen in this recent hack surpasses the $1.34 billion the same actors had stolen in 47 separate cryptocurrency heists throughout 2024.
