FBI confirms North Korean Lazarus group behind historic $1.5 billion Bybit crypto heist

The Federal Bureau of Investigation (FBI) has confirmed that the North Korean state-sponsored hacking group known as the Lazarus Group was responsible for the theft of approximately $1.5 billion from cryptocurrency exchange Bybit. The heist, which took place on February 21, 2025, involved intercepting and redirecting a scheduled transfer from Bybit’s cold wallet to its hot wallet, diverting the funds to blockchain addresses controlled by the hackers.

The Lazarus Group, also tracked as TraderTraitor and APT38, has been linked to numerous high-profile cyber heists over the years. According to the FBI, the hackers rapidly converted portions of the stolen assets into Bitcoin and other cryptocurrencies, distributing them across thousands of addresses on multiple blockchains in an attempt to obscure the funds’ origin and evade detection. The FBI anticipates that these assets will be further laundered and eventually converted into fiat currency.

As part of its investigation, the FBI has released a list of 51 Ethereum addresses associated with the theft, urging cryptocurrency exchanges, blockchain analytics firms, and other financial service providers to block transactions originating from these addresses. The agency has also called on the broader crypto community to assist in tracing the stolen assets.

Crypto fraud investigator ZachXBT played a crucial role in tracking the stolen funds, identifying links between the Bybit theft and prior attacks on cryptocurrency exchanges Phemex, BingX, and Poloniex, all previously attributed to the Lazarus Group. Blockchain analysis firms Elliptic and TRM Labs corroborated these findings, citing substantial overlaps between addresses controlled by the Bybit hackers and those tied to past North Korean cyber heists.

On Wednesday, Bybit CEO Ben Zhou shared preliminary forensic reports from cybersecurity firm Sygnia and finance security company Verichains. Their analysis found that the attack was executed by compromising infrastructure operated by Safe{Wallet}, a multisig wallet platform. The Safe Ecosystem Foundation later confirmed that North Korean hackers gained unauthorized access through a compromised Safe{Wallet} developer machine, allowing them to propose and execute a malicious transaction that resulted in the massive theft.

The FBI has urged RPC node operators, decentralized finance (DeFi) platforms, and cryptocurrency service providers to enhance security measures and remain vigilant against similar attacks. The agency emphasized that North Korean cyber operations, particularly those led by the Lazarus Group, continue to pose a significant threat to global financial stability.