On February 21, 2025 North Korean hackers executed the largest cryptocurrency heist to date, stealing approximately $1.5 billion worth of ETH. This incident highlights the ongoing need for more security in the crypto industry.
On February 21, 2025, crypto exchange Bybit executed what was supposed to be a routine transfer of user funds from their cold wallet, a more secure offline wallet used for long term storage, to their warm wallet, an internet-connected wallet that offers more accessibility than cold wallets while maintaining more security than hot wallets. In reality, this transfer was anything but routine and resulted in the largest theft of cryptocurrency to date–approximately $1.5 billion worth of ETH.
It boils down to a supply chain compromise. To conduct these transfers securely, each transaction requires multiple signatures from Bybit employees, known as a multisignature or multisig process. To execute these transactions, Bybit relies on Safe{Wallet}, a third-party multisig platform. Earlier in February 2025, a developer for Safe{Wallet} fell for a social engineering attack, and his workstation was compromised by malicious actors. These threat actors were then able to steal AWS session tokens, the temporary keys that allow you to request temporary credentials to your employer’s AWS account. By hijacking active tokens, the attackers were able to bypass MFA controls and gain access to Safe{Wallet}’s AWS account. By timing their efforts to coincide with the developer’s normal work hours, they also remained undetected until the actual heist.
Once they had access to Safe{Wallet}’s system, they manipulated the user interface (UI) that clients like Bybit employees would see. They replaced a benign JavaScript code with code designed to change the intended destination of the ETH in the wallet to wallets controlled by North Korean operatives. This malicious code would only target specific Bybit wallets as opposed to wallets belonging to the various other users of this platform, highlighting the targeted nature of this attack. On February 21, 2025, when Bybit employees went to approve and sign a routine transfer, the UI showed what appeared to be a legitimate transaction with the intended destination. Only after the transfer of funds to the hidden addresses set by the malicious code did Bybit employees realize something was amiss.
As alluded to earlier, the Democratic People’s Republic of Korea (DPRK) was behind this attack. “The Lazarus Group” is often cited as the perpetrators of different North Korean cyber operations, including this incident. Notably, this is an umbrella term that encompasses different intelligence teams conducting cyber operations out of the 3rd Bureau of the DPRK’s Reconnaissance General Bureau (RGB), the DPRK’s primary foreign intelligence service. The 3rd Bureau is largely behind most of the DPRK’s cyber operations. However, each unit, while at times overlapping, has different techniques and targets. The FBI officially attributed this attack to TraderTraitor–a subunit of the RGB 3rd Bureau.
TraderTraitor and other North Korean cyber threat actors continue to increasingly focus on crypto and blockchain companies, largely because of the low risk and high payouts, as opposed to targeting financial institutions like banks with rigorous security regimes and regulations. In 2023, North Korean hackers stole $660.5 million in crypto across 20 incidents and stole $1.34 billion in crypto across 47 incidents in 2024. With this one incident, the DPRK stole more than all their 2023 operations combined.
Clearly, this is an incredibly lucrative venture for the DPRK. In 2024, a senior Biden administration official voiced concerns that around 50% of the DPRK’s foreign-currency earnings came from cybercrime, which includes its crypto theft activities, and a UN report also shared claims from member states that the DPRK’s weapons program is largely funded by its cyber operations. This incident is larger than the crypto industry, and this type of theft is a matter of global security.
While the theft of $1.5 billion in ETH is no insignificant feat, this does not mean that the North Korean government now has $1.5 billion in usable funds. Instead, the stolen ETH must be laundered, obscuring the origins of the stolen funds, and exchanged for usable currency.
The process of laundering and transferring cryptocurrency is costly and involves great friction, some of which is intentionally manufactured by law enforcement and some of it is inherent to the market structure. As such, the total reaching the North Korean government will fall far below $1.5 billion.
In past cryptocurrency thefts by North Korean hackers, the threat actors almost immediately transferred their stolen funds into Bitcoin (BTC). This is likely due to BTC being harder to trace than ETH because of Bitcoin’s transaction model. Bitcoin uses the Unspent Transaction Output (UTXO) model, comparable to transactions with physical cash where each individual bill would need to be traced. On other hand, Ethereum uses an account model, akin to a bank account with a running balance, which is more centralized than Bitcoin.
TraderTraitor once again took this route. On March 20, 2025, Bybit CEO Ben Zhou shared that the hackers had converted 86.29% of the stolen ETH to BTC. TraderTraitor also worked to further obscure the transaction trail, as reported by the Blockchain intelligence platform TRM Labs, through the use of “multiple intermediary wallets, decentralized exchanges (DEXs), and cross-chain bridges.” Moreover, Zhou shared that the hackers started using BTC and ETH mixers. As the name implies, mixers mix transactions which further inhibits blockchain analysts’ ability to track the funds. Following the use of mixers, these North Korean operatives are leveraging peer to peer (P2P) vendors, platforms facilitating the direct purchase and selling of crypto from one user to another.
Additionally, it appears that the threat actors are leveraging money laundering-as-a-service, provided by organized crime syndicates in China and countries throughout Southeast Asia. Use of this service seeks to further obfuscate funds, reducing traceability and seemingly utilizing a “flood the zone” tactic. This tactic seeks to overwhelm compliance analysts, law enforcement, and blockchain analysts by performing thousands of transactions, both through DEXs and wallet-to-wallet transfers. After the costly efforts to hide the transaction trail, the ultimate goal of this process will be to convert the funds into fiat currency, or currency issued by a government like the US dollar or the euro.
As the threat actors engage in this laundering process, Bybit, law enforcement, and partners from across the industry continue to actively work to recover the funds. However, the timeframe where funds can be frozen or recovered moves rapidly. Within the laundering process there are three main stages where the funds can be frozen: when it’s exchanged for BTC; when it's exchanged for a stablecoin, or any cryptocurrency with its value attached to stable assets like fiat currency; or when it's cashed out at exchanges. As the window for seizure at these stages is extremely small, it requires efficient collective action from law enforcement, cryptocurrency services and exchanges, and international actors. The more time that passes, the more difficult recovery becomes.
Discussions around security in the crypto industry are not new, but this incident once again highlights the need for change. A lot of insecurity in crypto amounts to a lack of basic cyber hygiene, a problem endemic to businesses across sectors, industries, and countries. This industry is full of startups that grow rapidly. Often, when these startups are trying to “make it,” cybersecurity measures may become an afterthought, especially when companies lack the funds or personnel for such measures. The problem isn’t unique to those new to business; however, even well-established companies may let cybersecurity fall to the wayside or may lack the education to understand the rapidly evolving threat landscape.
Additional security measures from either Safe{Wallet} or Bybit would have reduced the likelihood of this incident occurring. For instance, implementing pre-signing simulations would have allowed employees to preview the destination of a transaction. Enacting delays for large withdrawals also would have given Bybit time to review the transaction and freeze the funds. Utilizing more transaction validation, through methods like raw transaction validation (reviewing the raw data in a smart contract versus the UI) or off-chain validation (verifying the transaction outside of the blockchain), could have prevented this incident as well.
Policy solutions should put more emphasis on educating industry actors around major threats in crypto and the role of cybersecurity while also incentivizing higher security standards.
That is not to say that the crypto industry does not follow any security standards. For instance, the Financial Action Task Force, an intergovernmental body, sets and updates global guidelines for anti-money laundering (AML) protocols and Know Your Customer (KYC) processes for customer verification and risk assessments of those customers. These have largely been codified by the Financial Crimes Enforcement Network (FinCEN) in the United States. Back in 2013, FinCEN also stipulated that the Bank Secrecy Act and its AML standards apply to administrators and exchanges in crypto.
However, things get tricky when one considers that in the United States and most countries, crypto is still largely unregulated, and the efficacy of its current regulation is often debated. Many argue that regulation effective for securing banks is less effective in the crypto space due to the industry’s decentralized nature. Crypto needs more security regulations, but it also needs new solutions that take into account its differences from fiat financial institutions.
Both the United Arab Emirates and Bahrain have turned to regulatory sandboxes, controlled environments where crypto firms can test new technologies and business models, to find an array of solutions to issues posed by crypto while still promoting innovation. Policymakers in the United States should similarly utilize sandboxes to try to find more effective AML and KYC solutions for the crypto space to ensure effective and efficient regulation.
In addition to US regulation, cooperation and collaboration–domestically and internationally–is imperative, particularly given the limited opportunity that exists to freeze or recover stolen funds. Efficient coordination between industry actors, government agencies, and law enforcement must be included in any efforts to strengthen the security of cryptocurrency. Information sharing organizations like Crypto ISAC and SEAL-ISAC, with partners across the cryptocurrency industry, work to improve the speed and integration of efforts to stem cryptocurrency thefts. The industry-wide response to the Bybit heist is a great example of the value of collaboration. Yet, the need for ever faster action remains.
Continuing to formalize channels between different industry actors, governments, and law enforcements, while still maintaining the decentralized nature of crypto, would advance faster incident response as well as improve incident preparedness.
Additionally, response times can be improved by ensuring individuals working across the agencies involved in preventing financial crime receive training on cryptocurrency and how to leverage its “investigative power.”
Moreover, harmonizing regulations and response frameworks would improve coordination and collaboration efforts. Harmonization would allow for ease of collaboration across jurisdictions, pivotal for intervening in the small windows of opportunity to regain stolen funds.
Overall, building a secure crypto industry will require clearer regulatory environments that companies can safely operate in, innovative policy solutions, higher security standards, and formalizing international and domestic partnerships. Securing the crypto industry must be made a priority if we wish to mitigate the illicit funding of the DPRK’s weapons programs.
The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders. Read more
