27-2-2025 – The FBI has officially attributed the staggering $1.5 billion Bybit cryptocurrency theft to North Korean state-sponsored hackers. The federal agency has designated this cyber operation under the codename “TraderTraitor,” marking it as the largest publicly disclosed cryptocurrency breach in history.
The notorious Lazarus Group, North Korea’s elite hacking unit, has been implicated in orchestrating the massive digital heist that occurred on 21 February. Security experts have long associated this group with high-profile cyber attacks targeting financial institutions worldwide.
Federal authorities report that the stolen assets are already being laundered through complex chains of transactions. The TraderTraitor operatives have begun converting the pilfered funds into Bitcoin and various other digital currencies, distributing them across thousands of addresses on multiple blockchain networks. Investigators anticipate further obfuscation techniques before these assets are ultimately converted into traditional currencies.
Despite the security breach, Bybit has managed to maintain operational stability. The exchange has kept withdrawal services functional and secured external liquidity through strategic loans. By 25 February, the company had already begun repaying these borrowed funds, initiating the process with a transfer of 40,000 ETH to Bidget.
An interim investigation released by Bybit revealed that compromised Safe(Wallet) credentials enabled the unauthorised access. During a routine fund rotation operation, malicious JavaScript was injected into Safe’s AWS S3 bucket, compromising the multisignature transaction process. Whilst Bybit’s core infrastructure remained intact, the breach originated from a compromised developer machine that affected a critical transfer.
The FBI has disclosed a list of 48 Ethereum addresses identified as being controlled by or linked to North Korean TraderTraitor actors. Meanwhile, Elliptic’s intelligence API has expanded this list significantly, identifying over 11,084 cryptocurrency wallet addresses connected to the breach—a figure expected to grow as investigations continue.
🚨 Free Real-time Bybit Exploit Data 🚨
Elliptic has launched a free data feed of illicit addresses linked to the Bybit exploit.
🔍 Why it matters:
✅ Minimize exposure to sanctions
✅ Stop laundering of stolen funds
✅ Strengthen crypto securityAccess via CSV or API ⬇️… pic.twitter.com/U9Qa2tc8Zz
— Elliptic (@elliptic) February 25, 2025
In response to the crisis, Bybit has engaged Web3 security firm ZeroShadow to conduct blockchain forensics and trace the stolen assets. The security team’s primary objectives are tracking the funds, preventing further movement, and maximising recovery efforts.
The federal authorities are now urging private sector entities—including exchanges, bridges, blockchain analytics firms, and other virtual asset service providers—to block transactions with addresses connected to the TraderTraitor operation, as part of a coordinated effort to contain the damage from this unprecedented digital heist.
