FBI Confirms North Korea Behind Bybit Hack, Urges Concerted Effort to Prevent Laundering

The Federal Bureau of Investigation (FBI) confirms the involvement of North Korea in the Bybit hack. Over the past few years, North Korean state-sponsored actors have terrorized the crypto space, and their reign of terror shows no signs of slowing. In the latest instance, law enforcement has confirmed that these actors are behind the $1.5 billion Bybit hack, which has been described as the world's largest-ever crypto heist. TraderTraitor The Federal Bureau of Investigation has confirmed the involvement of North Korea in the Bybit hack. "The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People's Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025," the agency wrote in a Wednesday, February 26 statement. The FBI said it had given the codename TraderTraitor to the malicious cyber activity.  Highlighting that these actors were already moving fast to launder the funds stolen from the Bybit hack, the agency called on several industry participants, including exchanges, bridges, and DeFi services, to block transactions tied to the heist. The agency presented 51 wallets, which it said had held assets from the heist and were connected to North Korean hackers, potentially narrowing down a list of over 11,000 wallets provided by blockchain analytics firm Elliptic. As of Thursday, February 27, hackers have already moved 206,000 ETH from the loot, representing over 40% of the total 499,000 ETH, according to prominent crypto analyst Yujin, popularly known as "EmberCN." https://twitter.com/EmberCN/status/1894561919010574773 These funds have been converted to other assets like Bitcoin and DAI using platforms like THORChain.  On Tuesday, February 25, Yujin warned that hackers were on track to launder the entire loot in "half a month.” “War” Beyond law enforcement efforts, Bybit itself has declared “war” against North Korean state-sponsored hackers with a bounty campaign to freeze funds tied to the hack. Specifically, it has launched a website tracking wallets tied to the hackers to allow community members to participate in the investigation. https://twitter.com/benbybit/status/1894397098323579333 The exchange will reward submissions that lead to seizures with 5% of the seized or frozen funds. A Safe Exploit As previously explained by Bybit CEO Ben Zhou, hackers were able to take control of the exchange's Ethereum cold wallet by tricking signers into signing a malicious transaction disguised as a routine asset transfer to the exchange's hot wallet. Further investigations from independent auditors have confirmed that the vulnerability did not originate from Bybit but from Safe, a widely respected crypto wallet provider used by the exchange. https://twitter.com/benbybit/status/1894768736084885929 According to the reports, the hackers somehow managed to infiltrate Safe's infrastructure and inject a malicious wallet-draining code designed to activate once it interacted with Bybit's contract address.  Safe has issued a statement confirming the exploit. It noted that it has introduced extra security measures to prevent future occurrences while maintaining that its smart contracts were unaffected.  Nonetheless, Bybit has already covered the hole sparked by the theft from a mix of “loans, whale deposits, and ETH purchases.”