FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Hack
The FBI has officially confirmed that the Bybit hack, which resulted in the theft of nearly $1.5 billion worth of Ethereum, was carried out by North Korea’s Lazarus group. The attack, which took place on February 21, was linked to a subgroup of Lazarus known as TraderTraitor, a hacker campaign notorious for targeting blockchain companies since 2022.
How the Attack Happened
Investigators have traced the root cause of the hack to malicious code injected into the Safe{Wallet} infrastructure, specifically a compromised AWS S3 bucket. According to cybersecurity firms Sygnia and Verichains, the attackers exploited a vulnerability in Safe{Wallet}, a decentralized custody protocol, by:
- Compromising a Safe{Wallet} developer's machine
- Injecting malicious JavaScript code into Safe{Wallet}'s system on February 19
- Manipulating Bybit’s Ethereum cold wallet transactions during the signing process
- Diverting funds to a hacker-controlled address while making it appear as if they were sent to the correct recipient
- Once the theft was completed, the hackers removed the malicious code to cover their tracks.
Tracking the Stolen Funds
The FBI has published a list of cryptocurrency addresses linked to the Lazarus group. It has also confirmed that some of the stolen assets have already been converted to Bitcoin and dispersed across thousands of addresses on multiple blockchains. The stolen funds are expected to be further laundered and eventually converted into fiat currency.
To date, only 3% ($42 million) of the stolen funds have been frozen, with $95 million marked as ‘awaiting response’ from cryptocurrency platforms.
- Bybit’s Response
- Bybit, which claims to be the world’s second-largest cryptocurrency exchange by trading volume, has launched a bug bounty program to help track and recover the stolen funds. The company is offering:
- 5% of the recovered funds to any entity that manages to freeze the stolen cryptocurrency
- 5% to those who help trace the stolen assets
- Bybit has already paid out over $4 million in bounties but has noted that some crypto services have refused to cooperate in the investigation.
- Bybit’s co-founder and CEO, Ben Zhou, stated:
- “We will not stop until Lazarus or bad actors in the industry are eliminated.”
- Bybit has also assured customers that their assets are backed and that the company remains financially stable, even if the stolen funds are not fully recovered.
The Bigger Picture: Rising Crypto Crime
According to the 2025 Crypto Crime Report by Chainalysis, cryptocurrency wallets used for illegal activities received roughly $40 billion in 2024. However, once all data is analyzed, the total illicit crypto transactions for 2024 are expected to exceed $51 billion.
The Bybit hack marks one of the largest crypto heists in history, further highlighting the growing threat posed by state-sponsored cybercrime, particularly from North Korea.
