The U. S. Federal Bureau of Investigation ( FBI ) formally linked the record-breaking$ 1.5 billion Bybit hack to North Korean threat actors, as the company’s CEO Ben Zhou a “war against Lazarus”.
The agency said the Democratic People’s Republic of Korea ( North Korea ) was responsible for the theft of the virtual property from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also tracked as Jade Sleet, Slow Pisces, and UNC4899.
The FBI reported that” TraderTraitor actors are proceeding quickly and have converted some of the stolen goods to Bitcoin and other digital assets dispersed across hundreds of addresses on various blockchains.” These assets are anticipated to be further laundered and later converted to fiat currency.
The TraderTraitor cluster was originally cited by Japanese and American officials in the defraud of DMM Bitcoin, a cryptocurrency company, worthwhile$ 308 million, in May 2024.
The risk artist is renowned for attempting to extort money from customers in the Web3 field, frequently deceiving victims into downloading phishing cryptocurrency apps to extort money. It has also been discovered that job-themed social engineering campaigns were the source of malignant node packages.
In the interim, ByBit has launched a reward scheme to help recover the stolen funds while criticizing eXch for putting an end to the investigation and preventing the assets from being frozen.
” The stolen funds have been transferred to undetectable or freezeable sites, such as exchanges, machines, or roads, or converted into cryptocurrencies that can be frozen”, it said. To either freeze the resources or keep track of their movements,” We require participation from all concerned parties,” according to the statement.
The Dubai-based business even disclosed the results of Sygnia and Verichains ‘ two studies, which implicate the Lazarus Group.
” The forensics investigation of the three signers ‘ hosts suggests the root cause of the attack is malicious code originating from Safe{ Wallet }’s infrastructure”, Sygnia said.
Verichains noted that” the mild Script file of software. healthy. world appears to have been replaced with malicious code on February 19, 2025, at 15: 29: 25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit”, and that the “attack was designed to stimulate during the next Bybit deal, which occurred on February 21, 2025, at 14: 13: 35 UTC”.
It’s suspected that the AWS S3 or CloudFront account/AP I Essential of Safe. Global was likely leaked or compromised, thus paving the way for a supply chain attack.
In a separate statement, multisig wallet platform Safe{ Wallet } said the attack was carried out by compromising a Safe { Wallet } developer machine which affected an account operated by Bybit. Additionally, the business noted that additional safety measures were put in place to reduce the threat.
The attack “was achieved through a compromised machine of a Safe{ Wallet } developer resulting in the proposal of a disguised malicious transaction”, it . ” Lazarus is a state-sponsored North Vietnamese thief group that is well known for superior social engineering attacks on designer credentials, occasionally combined with zero-day achievements.”
Although a new study from Silent Push has revealed that the Lazarus Group registered the domain bybit-assessment [. ] it is still unclear how the company’s system was breached. web at 22: 21: 57 on February 20, 2025, a few hours before the crypto theft took place.
WHOIS records that the domain was registered using the email address” trevorgreer9312@gmail [. ] The Lazarus Group originally identified a persona as” comedy,” in with a different strategy dubbed” Contagious Interview.”
The DPRK risk professional class known as TraderTraitor, Jade Sleet, and Slow Pisces, according to the company, while the crypto meeting con is being led by a DPRK risk actor group known as , also known as Famous Chollima.
” Victims are typically approached via Linked In, where they are socially engineered into participating in phony job interviews. These discussions serve as an access point for targeted malware implementation, token harvesting, and more bargain of financial and corporate assets”.
It is thought that North Korean-linked actors have allegedly stolen more than$ 6 billion in crypto assets since 2017 from the government. The$ 1.34 billion that actors stole from 47 cryptocurrency heists in all of 2024 is now worth$ 1.5 billion more than the$ 1.34 billion that was stolen last week.