The FBI attributes the $1.4B Bybit crypto heist to North Korea’s Lazarus group
The FBI has officially attributed the massive $1.5 billion Ethereum theft from cryptocurrency exchange Bybit to North Korea's notorious Lazarus Group, urging the public to assist in tracking down the stolen funds.
In a public alert issued Wednesday, the FBI identified the state-sponsored cybercrime organization, known as TraderTraitor by the agency, as the perpetrators of the sophisticated heist. The alert included wallet addresses linked to the thieves, containing or having contained the stolen Ethereum from the Dubai-based exchange.
The FBI hopes that the release of this information will enable others to identify and block further transactions involving the pilfered cryptocurrency. "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI stated. "It is expected these assets will be further laundered and eventually converted to fiat currency."
Bybit’s efforts to recover the funds
Bybit is also actively working to recover the stolen funds, having launched a bounty program last week to incentivize assistance. While over $40 million in stolen tokens have been identified and frozen, a significant portion of the funds remains in the hands of the North Korean government.
Bybit's "lazarusbounty.com" program has already distributed over $4 million in rewards to individuals who have aided in the recovery efforts. "We will not stop until Lazarus or bad actors in the industry are eliminated," Bybit CEO Zhou Ben stated, adding that the program will be expanded to assist other victims of Lazarus Group attacks.
The bounty program offers a 5% reward for information leading to the recovery of stolen cryptocurrency, with an additional 5% going to the exchange or mixer facilitating the retrieval. With approximately $140 million in rewards available, Bybit is aggressively pursuing the return of its assets.
Beyond this, Bybit is establishing a broader HackBounty platform, inviting the entire crypto industry to collaborate on hunting down cybercriminals. “I am energized by the incredible camaraderie on-chain and in real life. This can be a transformative moment for our industry if we get it right,” Zhou said. “Together, we can build a stronger defense system against cyber threats.”
How the Bybit heist happened
The theft occurred on February 21, when funds intended for transfer from an offline Ethereum cold wallet to an online hot wallet were diverted.
Bybit's investigations revealed that "the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH cold wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address."
Lazarus group’s track record
Lazarus Group is a state-sponsored hacking collective linked to the North Korean regime. It is infamous for its highly sophisticated cyberattacks, often involving social engineering tactics and zero-day exploits. The group has targeted financial institutions, cryptocurrency exchanges, and developers in its relentless effort to fund North Korea’s sanctioned government.
This latest attack adds to a growing list of Lazarus-linked heists, reinforcing concerns about the vulnerability of digital assets and the need for tighter security measures across the crypto industry.
