The Federal Bureau of Investigation (FBI) has confirmed North Korea as the culprit behind the recent $1.5 billion exploit on Bybit.
In a Feb. 26 Public Service Announcement (PSA), the agency attributed the attack to TraderTraitor, a malicious cyber campaign linked to North Korean threat actors.
TraderTraitor refers to a series of malware-infested applications disguised as crypto trading and price prediction tools.
These applications, built using cross-platform JavaScript and the Electron framework, originate from various open-source projects. Cybercriminals behind the campaign use well-designed websites to lure victims, showcasing fake features to build credibility.
Fund laundering
The FBI reported that the stolen funds are already being laundered, with attackers converting portions of the assets into Bitcoin and dispersing them across multiple blockchain networks.
The agency expects the funds to eventually be exchanged for fiat currency through illicit channels.
To counter this, the FBI released a list of flagged blockchain addresses linked to the hackers. It urged virtual asset service providers—including exchanges, DeFi platforms, and blockchain analytics firms—to block transactions associated with these addresses to prevent further money laundering.
This confirms prior reports from blockchain analysis firm SpotOnChain, which revealed that the hackers laundered 100,000 ETH, valued at approximately $250 million, in under four days.
SpotOnChain noted that the laundered funds represent 20% of the stolen 499,000 ETH. According to the firm, the cybercriminals have been splitting the assets across multiple addresses and using THORChain for cross-chain swaps into Bitcoin, DAI, and other cryptocurrencies.
North Korea’s expanding cyber threat
This attack illustrates North Korea’s growing success in using cybercrime to finance state operations. The Lazarus Group, a notorious government-backed hacking unit, has been behind several major digital asset heists.
The FBI noted that Lazarus Group is responsible for several previous attacks on crypto platforms. The group attacked Horizon Bridge in June 2022, attacked Ronin Bridge in March 2022, and has carried out other attacks as well.
Reports indicate that North Korean hackers stole more than $1.3 billion in digital assets in 2024, far surpassing the $660 million taken in 2023.
Analysts believe these stolen funds support the country’s nuclear weapons program, allowing it to bypass international sanctions.
Both Bybit and Safe have further confirmed to CryptoSlate that the North Korean hacking group Lazarus Group was responsible for the attack. A developer machine was compromised, allowing the hackers to trick owners of a multisig cold wallet into signing a malicious transaction. Safe stated,
“The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.”
ByBit also confirmed that the majority of its assets held with Safe have been withdrawn from vaults to protect against any further vulnerability.
Read the full article here