The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company’s CEO Ben Zhou declared a “war against Lazarus.”
The agency said the Democratic People’s Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also tracked as Jade Sleet, Slow Pisces, and UNC4899.
“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” the FBI said. “It is expected these assets will be further laundered and eventually converted to fiat currency.”
It’s worth noting that the TraderTraitor cluster was previously implicated by Japanese and U.S. authorities in the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024.
The threat actor is known for targeting companies in the Web3 sector, often tricking victims into downloading malware-laced cryptocurrency apps to facilitate theft. Alternately, it has also been found to orchestrate job-themed social engineering campaigns that lead to the deployment of malicious npm packages.
ByBit, in the meanwhile, has launched a bounty program to help recover the stolen funds, while calling out eXch for refusing to cooperate in the probe and help freeze the assets.
“The stolen funds have been transferred to untraceable or freezeable destinations, such as exchanges, mixers, or bridges, or converted into stablecoins that can be frozen,” it said. “We require cooperation from all involved parties to either freeze the funds or provide updates on their movement so we can continue tracing.”
The Dubai-based company has also shared the conclusions of two investigations conducted by Sygnia and Verichains, linking the hack to the Lazarus Group.
“The forensics investigation of the three signers’ hosts suggests the root cause of the attack is malicious code originating from Safe{Wallet}’s infrastructure,” Sygnia said.
Verichains noted that “the benign JavaScript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit,” and that the “attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC.”
It’s suspected that the AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised, thereby paving the way for a supply chain attack.
In a separate statement, multisig wallet platform Safe{Wallet} said the attack was carried out by compromising a Safe {Wallet} developer machine which affected an account operated by Bybit. The company further noted that it implemented added security measures to mitigate the attack vector.
The attack “was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction,” it said. “Lazarus is a state-sponsored North Korean hacker group that is well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits.”
It’s currently not clear how the developer’s system was breached, although a new analysis from Silent Push has uncovered that the Lazarus Group registered the domain bybit-assessment[.]com at 22:21:57 on February 20, 2025, a few hours before the cryptocurrency theft took place.
WHOIS records show that the domain was registered using the email address “trevorgreer9312@gmail[.]com,” which has been previously identified as a persona used by the Lazarus Group in connection with another campaign dubbed Contagious Interview.
“It appears the ByBit heist was conducted by the DPRK threat actor group known as TraderTraitor, also known as Jade Sleet and Slow Pisces – whereas the crypto interview scam is being led by a DPRK threat actor group known as Contagious Interview, also known as Famous Chollima,” the company said.
“Victims are typically approached via LinkedIn, where they are socially engineered into participating in fake job interviews. These interviews serve as an entry point for targeted malware deployment, credential harvesting, and further compromise of financial and corporate assets.”
North Korea-linked actors are estimated to have stolen over $6 billion in crypto assets since 2017. The $1.5 billion stolen last week surpasses the $1.34 billion the threat actors stole from 47 cryptocurrency heists in all of 2024.
