TLDR
- FBI confirms North Korea’s Lazarus Group responsible for $1.4 billion Bybit crypto heist, labeling the operation “TraderTraitor”
- Hackers compromised a Safe{Wallet} developer’s machine to inject malicious code during a routine transfer on February 21
- Stolen assets have been converted to Bitcoin and dispersed across thousands of addresses on multiple blockchains
- Bybit CEO Ben Zhou assured users the exchange remains solvent despite the hack
- FBI has released a list of 48 Ethereum addresses connected to North Korean actors and urges crypto firms to block transactions with them
The FBI has officially linked last week’s massive $1.4 billion cryptocurrency theft from exchange Bybit to North Korean hackers. In a public service announcement released Wednesday, federal authorities confirmed what many in the crypto community had suspected since the February 21 attack.
The bureau has labeled the operation “TraderTraitor” and identified the notorious Lazarus Group as the actors behind the heist. This North Korean state-sponsored hacking organization has been tied to numerous other industry hacks in recent years.
The attack occurred during a routine transfer operation when hackers gained control of Bybit’s Ethereum cold wallet. This incident now stands as the largest publicly disclosed cryptocurrency hack on record.
According to the FBI, the hackers are working quickly to cash in on their stolen assets. They have already converted some of the funds to Bitcoin and other cryptocurrencies.
These assets are now spread across “thousands of addresses on multiple blockchains,” making them harder to track. The FBI expects the stolen funds will undergo further laundering before being converted to traditional currency.
Security firm SlowMist shared technical details about the attack on Wednesday evening. They revealed that a Safe{Wallet} developer’s equipment was compromised.
This breach allowed the attackers to inject malicious code into the front end. The attack then “intercepted and modified transaction parameters” during a planned transfer.
Safe{Wallet}, whose infrastructure was exploited in the hack, released a statement acknowledging the breach. “The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted the Bybit Safe was achieved through a compromised machine of a Safe{Wallet} developer,” the company stated.
By the weekend following the attack, approximately $140 million had already been laundered. This money moved through accounts linked to North Korean operatives, according to data from blockchain analytics firm Elliptic.
ByBit is OK
Despite the massive theft, Bybit CEO Ben Zhou has assured users that the exchange remains financially stable. “Bybit is solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss,” Zhou posted on X (formerly Twitter) the day of the attack.
Recovery efforts have shown some limited success so far. Elliptic later revealed that security experts have retrieved approximately $43 million of the stolen assets.
An additional $243,000 has been seized from accounts associated with the hackers. Bybit has offered a 10% reward to security experts who help retrieve the stolen funds.
The exchange has declared “war” on the Lazarus Group as it works to recover the stolen cryptocurrency. The FBI is cooperating with private sector entities to track and block the stolen funds.
Federal authorities have released a list of 48 Ethereum addresses identified as operated by or connected to North Korean TraderTraitor actors. They are urging exchanges, blockchain analytics firms, and other virtual asset service providers to block transactions with these addresses.
This attack fits a pattern of North Korean state-sponsored cybercrime targeting the cryptocurrency industry. Security experts believe these attacks help fund Kim Jong Un’s weapons programs through stolen digital assets.
The FBI’s confirmation comes after blockchain data platform Arkham Intelligence initially linked the hack to the Lazarus Group. The connection was made via on-chain data that linked activity to previous attacks tied to the group.
