FBI Links Record-Breaking $1.5 Billion Bybit Hack to North Korean Lazarus Group

The U.S. Federal Bureau of Investigation (FBI) has officially attributed the $1.5 billion cryptocurrency theft from Bybit to North Korean hacking groups, specifically TraderTraitor, also tracked as Jade Sleet, Slow Pisces, and UNC4899. Bybit’s CEO, Ben Zhou, has vowed to fight back, declaring a "war against Lazarus."

  North America Cyber affairs News   Feb 27, 2025  Add to Reading List
FBI Links Record-Breaking $1.5 Billion Bybit Hack to North Korean Lazarus Group

The U.S. Federal Bureau of Investigation (FBI) has officially attributed the $1.5 billion cryptocurrency theft from Bybit to North Korean hacking groups, specifically TraderTraitor, also tracked as Jade Sleet, Slow Pisces, and UNC4899. Bybit’s CEO, Ben Zhou, has vowed to fight back, declaring a "war against Lazarus."

How the Attack Unfolded

According to the FBI, the stolen funds have already been converted into Bitcoin and other cryptocurrencies, dispersed across thousands of blockchain addresses, and are expected to be laundered and converted into fiat currency.

  • TraderTraitor’s Tactics:
    • The group is known for targeting Web3 companies, often deploying malware-laced crypto apps or using fake job interviews to lure victims into downloading malicious software.
    • Previously, TraderTraitor was implicated in the $308 million DMM Bitcoin hack in May 2024.

Investigations and Findings

Bybit launched an internal probe and enlisted cybersecurity firms Sygnia and Verichains, both of which confirmed links to Lazarus Group.

  • Root Cause: Malicious code was injected into Safe{Wallet}'s infrastructure, specifically replacing a benign JavaScript file on app.safe.global on February 19, 2025.
  • Trigger Mechanism: The attack was designed to activate during Bybit’s next transaction, which took place on February 21, 2025.
  • Supply Chain Compromise: The breach may have occurred due to a leaked AWS S3 or CloudFront API key, enabling a sophisticated supply chain attack.

Lazarus’ Evolving Tactics

Further analysis from Silent Push uncovered that the Lazarus Group registered the domain bybit-assessment[.]com just hours before the theft.

  • The WHOIS records show it was registered with an email previously linked to Lazarus, reinforcing suspicions of North Korea’s involvement.
  • The same tactics were used in previous LinkedIn-based scams, where job applicants were tricked into downloading malware as part of fake job interviews.

Bybit’s Response and Industry Impact

Bybit has launched a bounty program to recover stolen funds, while also calling out crypto exchange eXch for refusing to cooperate in freezing assets.

North Korean state-backed cybercriminals have stolen over $6 billion in cryptocurrency since 2017, with this $1.5 billion heist surpassing the total amount stolen in 2024 across 47 crypto-related attacks.

With Lazarus continuing to refine its attack methods, cybersecurity experts warn that the crypto industry must bolster its defenses against supply chain threats, social engineering, and API compromises.