North Korea’s $1.5 Billion Bitcoin Heist: The Biggest Crypto Theft in History

Published: April 27, 2025

In February 2025, the cryptocurrency world was rocked by the largest heist in its history, a staggering $1.5 billion theft from the Dubai-based exchange Bybit. The culprits? North Korean state-sponsored hackers, specifically the infamous Lazarus Group, identified by the FBI as the masterminds behind the operation dubbed “TraderTraitor.” This article delves into the mechanics of the heist, its global impact, and the ongoing efforts to combat such cybercrimes.

The Anatomy of the Heist

On February 21, 2025, Bybit’s CEO, Ben Zhou, approved what appeared to be a routine transfer of 401,346 Ethereum (ETH) from a cold wallet to a warm wallet. Unbeknownst to him, this transaction was manipulated by North Korean hackers who had infiltrated Bybit’s security infrastructure. The breach originated from a compromised developer workstation at Safe{Wallet}, a third-party multisignature platform Bybit relied on for secure transactions.

The hackers executed a sophisticated social engineering attack, stealing AWS session tokens to bypass multi-factor authentication. They then injected malicious JavaScript code into Safe{Wallet}’s user interface, redirecting the ETH to wallets under their control. Within minutes, the stolen funds were dispersed across thousands of addresses on multiple blockchains, with 86.29% converted to Bitcoin (BTC) to obscure the trail.

Representation of a digital cryptocurrency wallet, a target in the Bybit heist.

North Korea’s Cybercrime Expertise

The Lazarus Group, operating under North Korea’s Reconnaissance General Bureau, has a notorious track record. From the 2014 Sony Pictures hack to the $81 million Bangladesh Bank heist in 2016, their operations have grown increasingly sophisticated. In 2024 alone, North Korean hackers stole $1.34 billion in cryptocurrencies, accounting for 61% of global crypto thefts, according to blockchain analytics firm Chainalysis.

The Bybit heist showcased their evolved tactics, including:

• Social Engineering: Targeting developers to gain access to critical systems.
• Cross-Chain Laundering: Using decentralized exchanges and cross-chain bridges to convert ETH to BTC.
• Mixers and Automation: Employing BTC and ETH mixers to further anonymize transactions, with automated tools for rapid laundering.

By March 20, 2025, over $400 million of the stolen funds had been laundered, highlighting the group’s operational efficiency.

Global Impact and Market Fallout

The heist triggered a massive withdrawal of $10 billion from Bybit within 24 hours, nearly half its managed volume. Bitcoin’s value plummeted 20% the following day, marking its worst performance since the 2022 FTX collapse. The broader crypto market also suffered, with Ether and other assets declining, shaking investor confidence at a time when the industry was gaining traction under a crypto-friendly U.S. administration.

Bybit’s CEO pledged to cover the losses, but the incident exposed vulnerabilities in centralized exchanges. Experts criticized Bybit’s reliance on Safe{Wallet}, a free software product, arguing that specialized security tools could have prevented the breach.

Graph depicting the sharp decline in Bitcoin value post-heist (illustrative).

Efforts to Track and Recover Funds

Blockchain intelligence firms like TRM Labs and Elliptic have been instrumental in tracking the stolen funds. TRM Labs identified the compromised addresses and linked them to previous North Korean heists, while Elliptic noted that the hackers used 50 wallets, each holding 10,000 ETH, to disperse funds over nine days. The FBI issued a public service announcement, releasing 51 Ethereum addresses involved in the laundering and urging crypto providers to block related transactions.

Bybit introduced a 10% bounty program for information leading to the recovery of stolen assets, but experts warn that recovering funds is challenging once they are converted to fiat currency or moved through mixers. The rapid laundering suggests North Korea may be leveraging underground financial networks, particularly in China, to process illicit funds.

mplications for Crypto Security

The Bybit heist underscores the growing threat of nation-state actors in the crypto space. Unlike traditional cybercriminals, groups like Lazarus have vast resources and operate without fear of prosecution within North Korea. This incident has prompted calls for enhanced security measures, including:

• Advanced Security Protocols: Moving beyond free software to specialized tools for multisig transactions.
• Regulatory Collaboration: Closer ties between exchanges and governments to track and freeze illicit funds.
• User Education: Training employees to recognize social engineering tactics.

As cryptocurrencies become a target for state-sponsored cybercrime, the industry faces pressure to bolster defenses to protect investors and maintain market stability.

References

1. FBI. (2025, February 26). North Korea Responsible for $1.5 Billion Bybit Hack. Internet Crime Complaint Center. www.ic3.gov
2. TRM Labs. (2025, February 27). The Bybit Hack: Following North Korea’s Largest Exploit. www.trmlabs.com
3. Chainalysis. (2024, December 19). North Korea-Affiliated Hackers Stole $1.34bn in 2024. Cited in Infosecurity Magazine. www.infosecurity-magazine.com
4. Wilson Center. (2025, March 31). The Bybit Heist: What Happened & What Now? www.wilsoncenter.org
5. EL PAÍS English. (2025, April 4). Kim Jong Un’s Sting: How North Korea Orchestrated the Biggest Cyber Heist in History. english.elpais.com