FBI Confirms North Korea’s Lazarus Group Behind Record $1.5 Billion Bybit Hack

In what security experts are calling the largest breach in blockchain transaction history, the FBI has confirmed that North Korea’s state-backed Lazarus Group orchestrated the massive $1.5 billion theft from cryptocurrency exchange Bybit earlier this month.

The hackers, also known as TraderTraitor, have already begun laundering the stolen assets, converting portions to Bitcoin and dispersing funds across thousands of addresses on multiple blockchains, according to an FBI public service announcement released Wednesday.

“TraderTraitor actors are proceeding rapidly,” the FBI stated. “It is expected these assets will be further laundered and eventually converted to fiat currency.”

The February 21 attack primarily targeted Ethereum holdings, including liquid-staked ETH tokens, with approximately 499,000 ETH stolen. Blockchain analytics firm SpotOnChain reports that hackers have already laundered about 100,000 ETH (approximately $250 million) in under four days, representing roughly 20% of the stolen funds.

Sophisticated Attack Methodology

According to Manuel Villegas, an analyst at Julius Baer, the breach involved a highly sophisticated approach targeting cold wallets. “The attackers created a fake interface that deceives users, since it is a near identical copy of the trusted platform,” Villegas explained.

Bybit has confirmed that a routine transfer of Ethereum from an offline “cold” wallet was manipulated by attackers who redirected the cryptocurrency to unidentified addresses. Safe, the multisig wallet provider involved, stated that “a developer machine was compromised, allowing hackers to trick owners of a multisig cold wallet into signing a malicious transaction.”

Industry Mobilizes Against Hackers

Bybit CEO Ben Zhou has rallied the crypto community to join what he calls a “war against Lazarus,” launching a bounty site offering $140 million in rewards for tracking the stolen crypto and getting it frozen by other exchanges.

“We will not stop until Lazarus or bad actors in the industry is eliminated,” Zhou declared on social media platform X.

The FBI has released a list of 51 Ethereum addresses tied to the attack and urged exchanges, node operators, and other industry participants to block transactions linked to these addresses. Blockchain analytics firm Elliptic has already flagged over 11,000 wallet addresses suspected of being connected to the incident.

North Korea’s Growing Cyber Threat

This attack highlights North Korea’s expanding use of cybercrime to finance state operations amid international sanctions. According to South Korea’s intelligence agency, North Korea has stolen an estimated $1.2 billion in cryptocurrency and other virtual assets in the past five years.

A UN expert panel is currently investigating 58 suspected North Korean cyberattacks between 2017 and 2023 that netted approximately $3 billion, reportedly helping to fund the country’s weapons development programs.

The 2024 heist far surpasses previous attacks, with North Korean hackers already stealing more than $1.3 billion in digital assets this year, compared to $660 million in 2023.

Market Impact

The theft has contributed to recent downward pressure on cryptocurrency prices, with Bitcoin trading around $82,000 on Thursday, down from highs of over $100,000 a month ago.

Despite the attack, the United Arab Emirates, where Bybit holds regulatory approvals, has continued to support the exchange’s operations in the country. Dubai has emerged as a hub for cryptocurrency businesses and investors, with the UAE receiving over $30 billion in crypto transactions between July 2023 and June 2024, according to blockchain analysis firm Chainalysis.