The U. S. Federal Bureau of Investigation ( FBI ) formally linked the record-breaking$ 1.5 billion Bybit hack to North Korean threat actors, as the company’s CEO Ben Zhou a “war against Lazarus”.
The agency said the Democratic People’s Republic of Korea ( North Korea ) was responsible for the theft of the virtual property from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also tracked as Jade Sleet, Slow Pisces, and UNC4899.
The FBI reported that” TraderTraitor actors are proceeding quickly and have converted some of the stolen goods to Bitcoin and other digital assets dispersed across hundreds of addresses on various blockchains.” These assets are anticipated to be further laundered and later converted to fiat currency.
The TraderTraitor cluster was originally cited by Japanese and American officials in the defraud of DMM Bitcoin, a cryptocurrency company, fair$ 308 million, in May 2024.
The risk artist is renowned for attempting to extort money from customers in the Web3 field, frequently deceiving victims into downloading phishing cryptocurrency apps to extort money. It has also been discovered that job-themed social engineering campaigns were the source of malignant node packages.
ByBit has also launched a reward system to assist with the recovery of the stolen funds, while blaming eXch for putting up resistance against cooperating with the investigation and assisting in the freezing of the assets.
” The stolen funds have been transferred to undetectable or freezeable sites, such as exchanges, machines, or roads, or converted into cryptocurrencies that can be frozen”, it said. To either thaw the money or keep track of their movements,” We require participation from all concerned parties to either request their assistance.”
The Dubai-based business has also disclosed the findings of two Sygnia and Verichains examinations, which implicate the Lazarus Group.
” The forensics investigation of the three signers ‘ hosts suggests the root cause of the attack is malicious code originating from Safe{ Wallet }’s infrastructure”, Sygnia said.
Verichains noted that” the mild Script file of software. secure. world appears to have been replaced with malicious code on February 19, 2025, at 15: 29: 25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit”, and that the “attack was designed to stimulate during the next Bybit deal, which occurred on February 21, 2025, at 14: 13: 35 UTC”.
It’s suspected that the AWS S3 or CloudFront account/AP I Essential of Safe. Global was likely leaked or compromised, therefore paving the way for a supply chain attack.
In a separate statement, multisig wallet platform Safe{ Wallet } said the attack was carried out by compromising a Safe { Wallet } developer machine which affected an account operated by Bybit. Additionally, the business pointed out that it had added security measures in place to reduce the threat from the assault.
The attack “was achieved through a compromised machine of a Safe{ Wallet } developer resulting in the proposal of a disguised malicious transaction”, it . A state-sponsored North Korean attacker group known for superior social engineering attacks on programmer credentials, which are occasionally combined with zero-day exploits, is Lazarus.
Although a new study from Silent Push has revealed that the Lazarus Group registered the domain bybit-assessment [. ] it’s not officially clear how the company’s system was breached. org at 22: 21: 57 on February 20, 2025, a few hours before the cryptocurrency theft took place.
WHOIS records that the domain was registered using the email address” trevorgreer9312@gmail [. ] The Lazarus Group formerly identified a persona as” comedy,” in with a different plan dubbed” Contagious Interview.”
The DPRK risk professional class known as TraderTraitor, Jade Sleet, and Slow Pisces, according to the company, while the crypto meeting con is being led by a DPRK threat actor group known as , also known as Famous Chollima.
” Victims are typically contacted via Linked In, where they are socially engineered into participating in phony job interviews. These interviews serve as an entry point for targeted malware deployment, credential harvesting, and further compromise of financial and corporate assets”.
It is thought that North Korean-linked actors have allegedly stolen more than$ 6 billion in crypto assets since 2017 from the government. The$ 1.34 billion that actors stole from 47 cryptocurrency heists in total 2024 is now worth$ 1.5 billion more than the$ 1.34 billion that was stolen last week.