FBI Confirms North Korea Behind Bybit Hack, Calls for Industry-Wide Crackdown

Key Takeaways

• The FBI confirmed that North Korea’s Lazarus Group was behind the $1.5 billion Bybit hack.
• The agency urged crypto platforms and DeFi services to block wallet addresses that were laundering the stolen funds.
• Hackers exploited Bybit’s wallet partner, Safe, by injecting malicious code into its UI.

The Federal Bureau of Investigation (FBI) has officially linked the $1.5 billion Bybit hack to North Korea’s state-sponsored Lazarus Group.

The breach, which happened on Feb. 21, targeted one of Bybit’s cold wallets, stealing over 401,000 ETH. The attack marks the latest in a string of high-profile crypto heists attributed to North Korean hackers.

The FBI has issued a public advisory urging crypto exchanges, DeFi services, blockchain analytics firms, and infrastructure providers to block transactions involving addresses associated with the hackers.

Hackers Launder Millions in Stolen Crypto

According to the FBI, over $250 million worth of Ethereum (ETH) has already been laundered since the Bybit hack.

The hackers have been splitting the stolen funds into smaller transactions and moving them across multiple blockchain networks in an attempt to obfuscate their origins.

The FBI has identified more than 100 Ethereum addresses linked to the laundering operation and is asking platforms to prevent the further movement of the funds.

The agency’s warning follows a pattern seen in previous Lazarus Group attacks, where stolen assets are quickly distributed across various networks to evade detection.

Bybit Wasn’t Directly Compromised—Its Wallet Partner Was

A post-mortem analysis of the attack revealed that Bybit itself was not directly breached. Instead, hackers exploited a vulnerability in its wallet service provider, Safe.

According to investigators, the Lazarus Group compromised Safe’s AWS S3 bucket and injected malicious JavaScript into its user interface. This allowed them to execute unauthorized transactions without triggering alarms.

The exploit specifically targeted Bybit, modifying the Safe UI to deceive the exchange’s signers into approving a seemingly legitimate transaction. In reality, the malicious script redirected the funds to the hackers.

The attack method demonstrates the increasing sophistication of North Korean cybercriminals, who have begun targeting third-party wallet providers rather than the exchanges themselves.

A Growing Threat to Crypto Security

The Lazarus Group remains one of the most notorious hacking organizations in the crypto industry, stealing billions of dollars over the past decade.

Their tactics have evolved, shifting from direct exchange breaches to exploiting security lapses in wallet partners and custody providers. The Bybit hack shares similarities with the $235 million WazirX breach, where attackers compromised the private keys of its custody partner.

Despite ongoing sanctions and law enforcement efforts, North Korean hackers continue to adapt, posing a persistent threat to crypto platforms worldwide.