FBI Links North Korea to $1.4 Billion Bybit Crypto Heist

The FBI has officially attributed last week's $1.4 billion crypto theft from Bybit to North Korean hackers, labeling the operation "TraderTraitor" in a public service announcement released Wednesday.

These threat actors are working fast to cash in on their plundered crypto, the FBI said, acknowledging that they have since converted some of the stolen assets to Bitcoin and other crypto.

Those assets are now dispersed across “thousands of addresses on multiple blockchains,” the agency said.

From the outset of the theft, the crypto community had widely suspected Lazarus Group, but the FBI's confirmation ties the attack to Kim Jong Un's regime, which increasingly funds its weapons programs through cybercrime.

Hackers managed to gain control of Bybit's Ethereum cold wallet during a routine transfer operation on February 21, perpetrating what is now considered the largest publicly disclosed crypto hack on record.

Despite the fallout, Bybit CEO Ben Zhou assured users the exchange remains financially stable.

"Bybit is solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss," Zhou said in an X post on the same day.

More confirmations

Security firm SlowMist confirmed the attack's technical details late evening Wednesday, revealing a sophisticated compromise.

"Safe dev's equipment was compromised, resulting in malicious code being injected into the front end," SlowMist researchers said on X. "The attack intercepted and modified transaction parameters."

By the weekend following the attack, approximately $140 million had already been laundered through accounts linked to North Korean operatives, according to data from Elliptic.

Safe{Wallet}, whose infrastructure was exploited in the attack, released a statement acknowledging the breach was conducted by the notorious Lazarus Group.

"The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted the Bybit Safe was achieved through a compromised machine of a Safe{Wallet} developer," the company stated.

Recovery efforts have shown limited success so far. Elliptic later revealed that a group of security experts have retrieved approximately $43 million of the stolen assets, with an additional $243,000 seized from associated accounts.

Bybit has offered a 10% reward to security experts who help retrieve the stolen funds after it declared 'war' on the Lazarus Group.

The FBI is urging private sector entities, including exchanges and blockchain analytics firms, to block transactions with 48 Ethereum addresses identified as operated by or connected to North Korean TraderTraitor actors.