The FBI has officially linked the $1.5 billion Bybit hack to North Korean threat actors, specifically attributing the attack to a cluster known as TraderTraitor (also called Jade Sleet, Slow Pisces, and UNC4899). The breach, described as one of the largest cryptocurrency heists in history, has sparked an industry-wide crackdown on supply chain vulnerabilities and laundering tactics used by the Lazarus Group.
Bybit’s CEO, Ben Zhou, has declared a “war against Lazarus,” as the stolen crypto assets are rapidly being converted to Bitcoin and dispersed across multiple blockchainsโa common laundering method used by North Korean cybercriminals.
How the Attack Happened: Safe{Wallet} Exploitation
๐ Forensic investigations conducted by Sygnia and Verichains identified Safe{Wallet}’s infrastructure as the attackโs entry point.
๐ Key Findings:
๐ A benign JavaScript file on app.safe.global was replaced with malicious code on February 19, 2025, at 15:29:25 UTC.
๐ This code specifically targeted Bybit’s Ethereum Multisig Cold Wallet and activated during a transaction on February 21, 2025, at 14:13:35 UTC.
๐ Itโs suspected that AWS S3 or CloudFront credentials from Safe.Global were leaked, enabling a supply chain compromise.
๐ Safe{Wallet} confirmed that the breach resulted from a developer’s compromised machine, leading to a fraudulent transaction proposal.
๐ก Lazarus Group, a state-sponsored North Korean cyber unit, has a well-documented history of executing social engineering attacks on developers, often leveraging zero-day exploits to breach critical systems.
Lazarus Groupโs Money Laundering Tactics
๐ฐ The FBI warns that Lazarus is rapidly moving the stolen funds through:
โ
Thousands of crypto addresses across multiple blockchains
โ
Crypto mixing services to obfuscate transaction trails
โ
Bridges and stablecoins, making funds harder to freeze
๐ก These methods were previously used in the $308M DMM Bitcoin heist (May 2024), reinforcing Lazarusโ dominance in crypto-financial cybercrime.
Bybitโs Response & Bounty Program
Bybit has launched a bounty program to recover the stolen funds and is urging crypto exchanges, mixers, and blockchain networks to cooperate in tracking and freezing assets.
๐ Bybit accuses eXch of non-cooperation, hindering the freezing of assets.
๐ The stolen funds have already moved to untraceable destinations, including decentralized exchanges and private wallets.
๐ Bybit demands real-time updates on fund movements to continue tracing efforts.
Lazarusโ Fake Job Scams & Social Engineering Methods
๐ A deeper analysis by Silent Push revealed:
๐ The Lazarus Group registered the domain bybit-assessment[.]com on February 20, 2025โjust hours before the hack.
๐ This domain was used in a job scam, a well-known tactic where North Korean hackers trick victims into downloading malware-infected applications.
๐ The email used in the domainโs WHOIS records (trevorgreer9312@gmail[.]com) has been linked to previous Lazarus operations, including the Contagious Interview scam.
How These Scams Work:
โ Victims are targeted on LinkedIn under the guise of high-paying job offers.
โ They are tricked into downloading “assessment software” embedded with malicious code.
โ This code steals credentials, deploys malware, and facilitates financial compromise.
๐ The FBI estimates that North Korean hackers have stolen over $6 billion in cryptocurrency since 2017. The Bybit hack alone surpasses the $1.34 billion stolen from 47 crypto heists in all of 2024.
Key Takeaways & Security Recommendations
๐ด Crypto exchanges and Web3 companies must strengthen security against:
โ
Supply chain attacks โ Monitor and verify third-party integrations.
โ
Social engineering threats โ Educate developers on phishing and credential theft tactics.
โ
API key leaks โ Implement multi-factor authentication (MFA) and hardware security modules (HSMs).
โ
Lazarus-linked domains โ Use threat intelligence feeds to block suspicious domains in real-time.