FBI: Lazarus Group behind $1.5 billion Bybit heist

North Korea's Lazarus Group drained $1.5 billion from cryptocurrency exchange Bybit in a supply chain attack earlier this month.

The FBI issued a public service announcement (PSA) on Wednesday that confirmed North Korea was behind the biggest cryptocurrency heist to date, in which cybercriminals stole $1.5 billion in ethereum from Dubai-based Bybit on Feb. 21. The federal agency attributed the attack to a North Korean state-sponsored threat group it tracks as TraderTraitor, more commonly known as Lazarus Group.

The PSA revealed that Lazarus threat actors converted some of the stolen assets to bitcoin and obfuscated other virtual assets by spreading them across thousands of addresses on multiple blockchains. In a Bybit incident technical analysis, blockchain analytics vendor Certik described the heist as the "largest breach in Web3 history."

In a post to X, formerly Twitter, on Wednesday, Bybit CEO Ben Zhou said Lazarus stole the ethereum by compromising the company's cold wallet hosted by SafeWallet. Zhou shared preliminary investigation results conducted by Sygnia Labs and Verichains that attributed the root cause of the attack to "malicious code originating from [SafeWallet's] infrastructure."

SafeWallet shared a statement on the incident in a post to X on Wednesday as well.

"The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised machine of a [SafeWallet] developer resulting in the proposal of a disguised malicious transaction," the statement read.

SafeWallet added that it bolstered security protocols following the incident. For example, there is now a pop-up message on its site that urges users to "ALWAYS verify transactions that you are approving on your signer wallet."

Bybit Hack Forensics Report
As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains
Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW

— Ben Zhou (@benbybit) February 26, 2025

While attacks targeting cryptocurrency have increased over the past few years, the amount stolen during the Bybit heist far surpasses previous attacks. For example, in 2022, the FBI issued a warning that attacks against decentralized finance platforms were on the rise. However, that public service announcement said threat actors stole $1.3 billion in cryptocurrency assets from several decentralized finance platforms over a three-month time span.

February's heist is the latest cryptocurrency attack attributed to the infamous Lazarus Group. In 2022, the FBI confirmed that Lazarus was behind the attack against Axie Infinity after threat actors stole $620 million in cryptocurrency. The U.S. Office of Foreign Assets Control later sanctioned Blender.io after Lazarus threat actors laundered some of the stolen assets through the mixing service.

Additionally, Lazarus Group poses a significant threat to other organizations and industries. For example, in 2023, the Health Sector Cybersecurity Coordination Center warned that the threat group was actively targeting the healthcare sector.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.