FBI Links $1.5 Billion Bybit Cryptocurrency Heist to North Korea’s Lazarus Group

The Federal Bureau of Investigation (FBI) has formally attributed the recent $1.5 billion cryptocurrency heist from Dubai-based exchange Bybit to the notorious North Korean hacking group Lazarus. This cyberattack, which took place on February 21, 2025, is one of the largest cryptocurrency thefts in history, highlighting the growing threats posed by state-sponsored cybercriminal organizations.

According to the FBI’s statement, the Lazarus Group executed a sophisticated operation targeting Bybit’s cold wallet infrastructure, successfully transferring approximately 401,000 Ethereum (ETH) to digital wallets under their control. The stolen assets were valued at an estimated $1.5 billion at the time of the breach. The agency emphasized that the group, also known as TraderTraitor, has been implicated in multiple high-profile cryptocurrency-related cybercrimes over the past decade.

Bybit CEO Ben Zhou confirmed the attack and stated that the breach affected the company’s cold wallet, which was hosted by third-party service provider SafeWallet. Initial forensic analyses by cybersecurity firms Sygnia Labs and Verichains suggest that the attackers may have exploited vulnerabilities within SafeWallet’s infrastructure, allowing them to bypass security protocols and gain unauthorized access to Bybit’s digital assets.

In response to the heist, Bybit has announced a $140 million bounty for any information that could lead to the identification, tracking, and potential freezing of the stolen funds. The company is collaborating with international law enforcement agencies, blockchain analytics firms, and cybersecurity experts to trace the movements of the illicitly acquired cryptocurrency and prevent the hackers from laundering it through various decentralized platforms.

This incident adds to the long list of cybercrimes attributed to the Lazarus Group, a cybercrime syndicate believed to be directly linked to North Korea’s Reconnaissance General Bureau (RGB). The hacking collective has been responsible for multiple high-profile cryptocurrency thefts, including the infamous $620 million Ronin Network hack in 2022, which targeted the blockchain infrastructure supporting the popular online game Axie Infinity. The group was also behind the $100 million breach of Harmony’s Horizon Bridge later that same year.

The Lazarus Group has gained a reputation for its ability to adapt and develop advanced hacking techniques, often using sophisticated social engineering schemes, zero-day exploits, and malicious software to infiltrate targeted systems. Security researchers have noted that the group’s tactics frequently involve deploying phishing campaigns to trick employees of cryptocurrency firms into downloading malware that grants remote access to internal networks.

The FBI has warned cryptocurrency exchanges, decentralized finance (DeFi) platforms, and related entities to remain vigilant and avoid processing transactions associated with addresses linked to the Lazarus Group. The agency has provided a list of flagged digital wallets that have been used in the laundering process and has advised financial institutions to enhance their monitoring capabilities to detect suspicious activities tied to these addresses.

Blockchain forensic firms such as Chainalysis and Elliptic have been tracking the movement of the stolen Ethereum, with reports indicating that the hackers have already begun dispersing the assets through various mixing services to obscure their origins. Cryptocurrency mixers, also known as tumblers, allow users to blend their funds with others, making it more difficult for authorities to trace illicit transactions. This technique has been widely used by North Korean hackers to launder stolen funds before converting them into fiat currency.

The cyberattack on Bybit underscores the escalating security risks faced by the cryptocurrency industry, where hackers continue to exploit vulnerabilities in trading platforms, wallets, and decentralized applications. As the market grows and digital assets become more mainstream, security experts stress the need for stricter regulatory frameworks and robust cybersecurity protocols to protect investors and financial institutions from large-scale digital heists.

Law enforcement agencies worldwide have been intensifying their efforts to combat cyber threats linked to North Korea. The U.S. government, in particular, has imposed sanctions on individuals and entities associated with the Lazarus Group, aiming to disrupt their financial networks and prevent the illicit flow of funds that reportedly contribute to North Korea’s missile and nuclear programs.

Despite these efforts, the persistence of cybercriminal groups like Lazarus highlights the ongoing challenge of securing digital assets in an increasingly interconnected financial ecosystem. The FBI, alongside other international agencies, continues to investigate the Bybit heist, with hopes that coordinated efforts will lead to the recovery of the stolen funds and the disruption of the hackers’ operations.

The case serves as yet another stark reminder of the vulnerabilities inherent in the cryptocurrency industry. Companies and investors are being urged to implement stronger security measures, conduct regular security audits, and employ advanced threat detection systems to safeguard their assets from evolving cyber threats.