FBI Says North Korean Hackers Responsible For $1.5 Billion Theft in Crypto from Bybit

February 27, 2025

The FBI has said that the attack on ByBit, a Dubai-based cryptocurrency exchange, was carried out by North Korea’s Lazarus Group, a notorious cybercrime syndicate known for financing the country’s nuclear weapons program. The breach, which occurred on February 21st and resulted in the loss of approximately $1.5 billion in virtual assets, has sent shockwaves throughout the industry.

How did the attack occur?

The hackers used malware to manipulate Bybit’s transaction signing process. During a routine transfer of Ethereum (ETH) from Bybit’s cold wallet to its hot wallet, the attackers exploited a vulnerability in the smart contract logic, allowing them to siphon off over 400,000 ETH and staked ETH (stETH) into an unidentified wallet. The FBI stated that the stolen funds are being converted to bitcoin and other digital assets spread across thousands of addresses.

The theft is just the latest in a long string of high-profile crypto heists attributed to Lazarus Group. Since 2017, North Korea-linked hackers have reportedly stolen over $6 billion in cryptocurrency. These funds are believed to support the country’s missile program. Chainalysis reports that in 2024 alone, North Korean hackers stole approximately $1.34 billion across 47 incidents.

How has Bybit responded?

Bybit’s response to the crisis has been widely praised. CEO Ben Zhou addressed the situation in a live stream on the day of the attack, reassuring customers that the exchange was solvent and all customer funds were secure. Bybit has since conducted a proof-of-reserves audit, confirming it had a 100% collateralization ratio, ensuring that withdrawals could continue despite the massive loss.

To fight back against Lazarus Group, Bybit has launched an aggressive initiative to recover the stolen funds. The exchange set up a public tracking website to monitor over 6,000 wallet addresses linked to the hackers, as well as introducing a bounty program, offering a 5% reward for information leading to the freezing of stolen assets. So far, the company has managed to freeze $42.3 million—around 3% of the total amount stolen.

In a further move to incentivize recovery efforts, Bybit announced a $140 million bounty, equivalent to 10% of the stolen funds. The reward will be split between those who help track and freeze the assets. Despite these efforts, tracking the stolen crypto remains difficult, as Lazarus Group is known for quickly laundering illicit funds through decentralized exchanges.

One of the biggest obstacles in recovering the stolen assets is the use of platforms like eXch, a controversial exchange reportedly involved in laundering significant portions of the stolen ETH. Unlike centralized platforms, which can freeze suspicious funds, decentralized alternatives provide hackers with a way to move money undetected.

The Bybit hack is a stark reminder of the vulnerabilities in the crypto industry. With state-sponsored cyberattacks on the rise, exchanges must implement stronger security measures to protect against increasingly sophisticated threats. The FBI has warned that the stolen assets will likely be laundered further and converted into fiat currency.

While Bybit’s response has set a new standard for transparency and crisis management, the attack highlights the urgent need for better cybersecurity measures and international cooperation to combat crypto-related crime. Whether Bybit and law enforcement agencies can recover a significant portion of the stolen funds remains to be seen.