FBI Links $1.5 B Bybit Heist to North Korea’s Lazarus Group, Crypto Losses Now Top $2 Billion in 2025
The Federal Bureau of Investigation released a public service announcement on 26 February 2025 confirming that the massive $1.5 billion breach of cryptocurrency exchange Bybit was orchestrated by the North Korean cyber‑espionage collective known as Lazarus Group, also tracked as TraderTraitor and APT38.
The agency’s forensic analysis shows the attackers hijacked a routine cold‑to‑hot wallet transfer on 21 February, rerouting the assets to addresses they controlled before swiftly converting the loot into Bitcoin and other digital currencies.
Blockchain‑analytics firms Elliptic and Chainalysis report that the total value of crypto assets stolen globally in 2025 has already surpassed $2 billion, with the Bybit incident accounting for roughly three‑quarters of that figure. The combined tally of North‑Korean‑linked crypto theft since 2017 now exceeds $6 billion, according to Elliptic’s latest assessment. U.S. officials warned that the proceeds are funneled into North Korea’s weapons‑development program, including its nuclear and ballistic‑missile initiatives, thereby circumventing international sanctions.
In the aftermath, Bybit has pledged to reimburse affected users and has offered a $140 million bounty for information leading to recovery of the stolen funds. The FBI has shared 51 Ethereum addresses tied to the laundering operation and urged exchanges, DeFi platforms, and blockchain‑analytics providers to block transactions linked to those addresses.
Meanwhile, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned several entities involved in the money‑laundering chain.
Security researchers note that Lazarus employed a sophisticated supply‑chain compromise of the Safe{Wallet} developer environment, allowing malicious code to be injected into the transaction‑approval workflow.
The breach underscores the persistent vulnerability of even large exchanges despite cold‑storage safeguards.
The incident has sparked renewed calls for tighter regulatory oversight of the cryptocurrency sector and for international cooperation to disrupt North Korea’s illicit cyber‑financing network.
