FBI Confirms Lazarus Behind $1.5 Billion Bybit Hack

Reading Time: 2 minutes
  • The FBI has confirmed that North Korea’s Lazarus Group was behind the $1.5 billion theft from cryptocurrency exchange Bybit last week
  • The stolen assets have been rapidly converted into various cryptocurrencies and dispersed across numerous blockchain addresses
  • The FBI has bracketed the hack in its TraderTraitor advisory

The Federal Bureau of Investigation (FBI) has confirmed that the $1.5 billion theft from Dubai-based cryptocurrency exchange Bybit was carried out by North Korea’s notorious Lazarus Group. The stolen assets have been swiftly laundered through conversion into multiple cryptocurrencies and distributed across thousands of blockchain addresses. In 2022, the FBI issued a cybersecurity advisory to highlight the cyber threat associated with cryptocurrency thefts and tactics used by Lazarus.

Lazarus Done It

The FBI released a public service announcement on February 26, in which it formally named Lazarus Group as being responsible for the world’s biggest non-cash heist. This group, also known as APT38, has a history of targeting financial institutions and cryptocurrency platforms to fund North Korea’s governmental activities. In their public service announcement, the FBI referred to this specific malicious cyber activity as “TraderTraitor,” a designation it first publicized in 2022 to warn about a growing threat from Lazarus.

The FBI noted that, following the theft, the cybercriminals moved quickly to obfuscate the origins of the stolen funds:

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains.

This tactic complicates efforts to trace and recover the assets, as the dispersion across various blockchains makes tracking more challenging. 

$140 Million Bounty Offered

The FBI is seeking the help of blockchain users, listing dozens of addresses to which the funds have been sent and asking for users to take action to block the funds:

FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets.

Bybit is assisting by actively collaborating with blockchain forensic experts to trace the stolen funds and has launched a recovery bounty program, offering up to 10% of the recovered amount to ethical hackers assisting in retrieving the stolen cryptocurrency.

Share