FBI Confirms North Korea’s TraderTraitor Behind $1.5 Billion Bybit Heist in Historic Attribution

The Federal Bureau of Investigation delivered a definitive attribution on February 27, 2025, confirming that the Democratic People’s Republic of Korea was responsible for the theft of approximately $1.5 billion in virtual assets from cryptocurrency exchange Bybit. The FBI identified the threat actor as TraderTraitor, a North Korea-linked group also known as Lazarus, marking the largest cryptocurrency heist ever recorded and one of the largest single thefts of any kind in history.

The Bybit hack, which occurred on February 21, 2025, saw threat actors transfer over 401,000 ETH and stETH worth more than $1.5 billion to an unidentified address. Bitcoin traded at approximately $84,704 and Ethereum at $2,305 at the time of the FBI’s announcement, underscoring the sheer magnitude of the stolen assets. The theft surpassed previous records including the Ronin Network hack at $625 million, the Poly Network breach at $611 million, and the BNB Bridge exploit at $566 million.

The Exploit Mechanics

The attack targeted Bybit’s Ethereum cold wallet during a routine transfer to a warm wallet. The exchange uses a multisig system through Safe (formerly Gnosis Safe) for approving large transactions. According to Bybit CEO Ben Zhou, the manipulation occurred at the signing interface level. While the correct URL and destination address appeared on-screen, the underlying smart contract logic had been altered.

The hackers likely compromised the computers of all signers involved in the multisig approval process or exploited a vulnerability within the Safe platform’s user interface. Zhou confirmed he personally verified the URL and used a Ledger hardware device during signing. Despite these precautions, the attackers manipulated the transaction data at the smart contract level, exploiting the inherent complexity of Ethereum’s smart contract architecture.

Blockchain cybersecurity firm Elliptic was among the first to attribute the heist to Lazarus, followed by Arkham Intelligence. The rapid laundering of stolen funds through decentralized exchanges and cross-chain bridges bore the hallmark patterns of North Korean operations documented in previous attacks.

Affected Systems

The breach was confined to a single Ethereum cold wallet. Bybit confirmed that all other cold wallets, including those holding Bitcoin and USDT, remained fully secure and uncompromised. No other assets or wallet types were affected by the incident.

The compromised wallet held approximately 401,000 ETH, representing a significant portion of Bybit’s Ethereum reserves. At the time of the theft, this amount was valued at over $1.5 billion. The exchange stated it had over $20 billion in assets under management and maintained a 1:1 reserve ratio, which provided a buffer against complete insolvency.

Withdrawal processing continued throughout the crisis, with approximately 70 percent of withdrawal requests processed within the first several hours. Bybit secured bridge loans from partners to address the Ethereum liquidity deficit, ensuring continued operations without needing to purchase ETH on the open market.

The Mitigation Strategy

Bybit’s response involved multiple coordinated efforts. The exchange collaborated with leading blockchain forensic experts, including Elliptic and Chainalysis, to trace and potentially freeze stolen funds. Law enforcement agencies across multiple jurisdictions were engaged to assist in the recovery process.

The exchange also implemented enhanced security protocols for all remaining wallets. Bybit’s security team conducted comprehensive audits of all wallet systems to ensure no additional vulnerabilities existed. The company partnered with the Safe team to understand the root cause and identify weaknesses in the multisig signing process.

Zhou publicly guaranteed that customer funds were safe, emphasizing that Bybit would use its own reserves and partner bridge loans to cover the shortfall. The exchange committed to full transparency, providing regular updates through live streams and social media channels throughout the recovery process.

Lessons Learned

The Bybit hack exposed fundamental weaknesses in even the most sophisticated cold wallet security architectures. The fact that a multisig setup with hardware wallet verification could be compromised through interface manipulation represents a paradigm shift in threat assessment for cryptocurrency exchanges.

The incident highlights the growing sophistication of state-sponsored cybercrime targeting digital assets. North Korea’s Lazarus Group has consistently demonstrated an ability to adapt to defensive measures, employing increasingly complex social engineering and supply chain attack vectors.

Immunefi reported on the same day that crypto losses in February 2025 alone reached $1.53 billion, representing a 20-fold surge from January and nearly matching total losses for all of 2024. The overwhelming majority of these losses were attributable to the Bybit incident, but the report also documented additional exploits targeting DeFi protocols and individual wallets during the same period.

User Action Required

For users of Bybit and other centralized exchanges, the incident serves as a critical reminder to review security practices. Enable all available two-factor authentication methods. Consider distributing assets across multiple platforms rather than concentrating holdings in a single exchange. For large holdings, self-custody through hardware wallets with verified firmware remains the strongest defense against exchange-level compromises.

Users should also monitor official exchange communications during security incidents and act promptly on withdrawal advisories. The rapid processing of Bybit withdrawals demonstrated the importance of exchange liquidity reserves, but individual preparedness remains essential.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.