FBI Links $1.4B Bybit Crypto Heist to North Korea’s Lazarus Group

FBI Confirms North Korea’s Role in $1.4 Billion Crypto Heist on Bybit

Lazarus Group Identified as Culprit in Largest Crypto Theft to Date

The Federal Bureau of Investigation (FBI) has officially linked the recent $1.4 billion crypto heist on the centralized exchange Bybit to North Korea’s state-backed Lazarus Group. The attack, executed on February 21, 2024, targeted Bybit’s Ethereum cold wallet and is now considered the largest publicly disclosed cryptocurrency hack in history.

The stolen Ethereum (ETH) and stETH assets have already been converted into Bitcoin and other cryptocurrencies and are currently dispersed across thousands of blockchain addresses. The FBI’s announcement, released on Wednesday, identified the attack as part of the “TraderTraitor” campaign, an ongoing cybercrime operation led by North Korean hackers to fund the regime’s nuclear weapons and missile programs.

How the Hack Unfolded: A Coordinated Attack on Bybit’s Infrastructure

Blockchain security firm SlowMist provided a detailed breakdown of the attack, revealing that hackers exploited a security vulnerability within Bybit’s system. The attack involved:

• Compromising a developer’s machine connected to Safe{Wallet}, a multi-signature security tool used by Bybit.
• Injecting malicious code into the front end, allowing attackers to modify transaction parameters unnoticed.
• Gaining access to Bybit’s Ethereum cold wallet during a routine transfer operation.

The attack resulted in an immediate withdrawal of $1.4 billion worth of Ethereum, which was quickly moved across multiple blockchains to obfuscate its origins.

Lazarus Group’s Role: A Pattern of Crypto Crimes

Cybercrime intelligence platforms such as Arkham Intelligence and Elliptic confirmed the on-chain movements linking the stolen funds to Lazarus Group. The North Korean hacker collective, notorious for targeting cryptocurrency exchanges, DeFi protocols, and blockchain firms, has been responsible for several high-profile thefts in recent years, including:

• Axie Infinity’s Ronin Bridge hack ($625 million stolen, 2022)
• Harmony’s Horizon Bridge exploit ($100 million stolen, 2022)
• Atomic Wallet breach ($100 million stolen, 2023)

Blockchain investigator ZachXBT was among the first to track suspicious transactions following the Bybit hack, raising alarms about the rapid laundering of funds through decentralized exchanges.

North Korea’s Crypto Laundering Strategy: Moving Millions Across Blockchains

According to Elliptic’s latest analysis, approximately $140 million of the stolen funds have already been laundered through crypto mixers and illicit trading accounts controlled by North Korean operatives. The laundering process typically involves:

• Converting stolen ETH into Bitcoin using decentralized exchanges (DEXs) to avoid centralized scrutiny.
• Breaking down large transactions into smaller, harder-to-track payments.
• Using crypto mixers like Tornado Cash to obfuscate transaction trails.
• Converting funds to fiat currencies via over-the-counter (OTC) brokers, often based in China or Russia.

The FBI has issued a warning to crypto exchanges, financial institutions, and blockchain analytics firms, urging them to block transactions involving 48 Ethereum addresses linked to the Lazarus Group.

Bybit’s Response: CEO Assures Solvency Despite Massive Loss

Despite the significant loss, Bybit’s CEO Ben Zhou reassured users that the exchange remains financially stable. In a statement posted on X (formerly Twitter), Zhou emphasized:

“Bybit is solvent even if this hack loss is not recovered. All client assets are 1:1 backed, and we can cover the loss.”

To counter the attack, Bybit has announced a 10% bounty reward for security experts who assist in recovering the stolen funds. The exchange has also strengthened its security protocols, including restricting external API access and enhancing multi-factor authentication.

Recovery Efforts and Global Law Enforcement Actions

While $43 million of the stolen assets have been recovered so far, authorities are working to trace and seize additional funds. The FBI, in collaboration with Interpol and blockchain forensic firms, is increasing efforts to disrupt North Korea’s cyber-financial networks.

The U.S. Treasury Department is also considering new sanctions against crypto entities facilitating Lazarus Group’s activities, following previous restrictions on Tornado Cash and Sinbad.io.

Conclusion: Strengthening Crypto Security Against State-Sponsored Cybercrime

The Bybit hack underscores the growing threat of state-sponsored cyberattacks targeting the crypto industry. As North Korea continues using crypto theft to fund its military ambitions, global regulators and exchanges must implement stricter security measures and enhance transaction monitoring to combat illicit activities.

The FBI urges crypto businesses, investors, and security experts to remain vigilant, report suspicious transactions, and collaborate on threat intelligence to prevent further exploits.

This latest attack serves as a wake-up call for the entire crypto ecosystem, highlighting the need for stronger cybersecurity frameworks and international cooperation to curb the rising tide of blockchain-related financial crimes.