On February 21, 2025 North Korean hackers executed the largest cryptocurrency heist to date, stealing approximately $1.5 billion worth of ETH. This incident highlights the ongoing need for more security in the crypto industry.
On February 21, 2025, crypto exchange Bybit executed what was supposed to be a routine transfer of user funds from their cold wallet, a more secure offline wallet used for long term storage, to their warm wallet, an internet-connected wallet that offers more accessibility than cold wallets while maintaining more security than . In reality, this transfer was anything but routine and resulted in the largest theft of cryptocurrency to date鈥搘orth of ETH.
It boils down to a supply chain compromise. To conduct these transfers securely, each transaction requires multiple signatures from Bybit employees, known as a multisignature or multisig process. To execute these transactions, Bybit relies on Safe{Wallet}, a third-party multisig platform. Earlier in February 2025, a developer for Safe{Wallet} fell for a , and his workstation was compromised by malicious actors. These threat actors were then able to AWS session tokens, the temporary keys that allow you to request temporary credentials to your employer鈥檚 AWS account. By hijacking active tokens, the attackers were able to bypass MFA controls and gain access to Safe{Wallet}鈥檚 AWS account. By timing their efforts to coincide with the developer鈥檚 normal work hours, they also remained until the actual heist.
Once they had access to Safe{Wallet}鈥檚 system, they manipulated the user interface (UI) that clients like Bybit employees would see. They a benign JavaScript code with code designed to change the intended destination of the ETH in the wallet to wallets controlled by North Korean operatives. This malicious code would only specific Bybit wallets as opposed to wallets belonging to the various other users of this platform, highlighting the targeted nature of this attack. On February 21, 2025, when Bybit employees went to approve and sign a routine transfer, the UI what appeared to be a legitimate transaction with the intended destination. Only after the transfer of funds to the hidden addresses set by the malicious code did Bybit employees realize something was amiss.
As alluded to earlier, the Democratic People鈥檚 Republic of Korea (DPRK) was behind this attack. 鈥淭he Lazarus Group鈥 is often cited as the perpetrators of different North Korean cyber operations, including this incident. Notably, this is an umbrella term that encompasses different intelligence teams conducting cyber operations out of the 3rd Bureau of the DPRK鈥檚 (RGB), the DPRK鈥檚 primary foreign intelligence service. The 3rd Bureau is largely behind most of the DPRK鈥檚 cyber operations. However, each unit, while, has different techniques and targets. The FBI officially this attack to TraderTraitor鈥揳 subunit of the RGB 3rd Bureau.
TraderTraitor and other North Korean cyber threat actors continue to increasingly focus on crypto and blockchain companies, largely because of the low risk and high payouts, as opposed to targeting financial institutions like banks with rigorous security regimes and regulations. In 2023, North Korean hackers $660.5 million in crypto across 20 incidents and stole $1.34 billion in crypto across 47 incidents in 2024. With this one incident, the DPRK stole more than all their 2023 operations combined.
Clearly, this is an incredibly lucrative venture for the DPRK. In 2024, a senior Biden administration official that around 50% of the DPRK鈥檚 foreign-currency earnings came from cybercrime, which includes its crypto theft activities, and a UN report also claims from member states that the DPRK鈥檚 weapons program is largely funded by its cyber operations. This incident is larger than the crypto industry, and this type of theft is a matter of global security.
While the theft of $1.5 billion in ETH is no insignificant feat, this does not mean that the North Korean government now has $1.5 billion in usable funds. Instead, the stolen ETH must be laundered, obscuring the origins of the stolen funds, and exchanged for usable currency.
The process of laundering and transferring cryptocurrency is costly and involves great friction, some of which is intentionally manufactured by law enforcement and some of it is inherent to the market structure. As such, the total reaching the North Korean government will fall far below $1.5 billion.
In past cryptocurrency thefts by North Korean hackers, the threat actors almost immediately transferred their stolen funds into Bitcoin (BTC). This is likely due to BTC being harder to trace than ETH because of Bitcoin鈥檚 transaction model. Bitcoin uses the , comparable to transactions with physical cash where each individual bill would need to be traced. On other hand, Ethereum uses an account model, akin to a bank account with a running balance, which is more centralized than Bitcoin.
TraderTraitor once again took this route. On March 20, 2025, Bybit CEO Ben Zhou that the hackers had converted 86.29% of the stolen ETH to BTC. TraderTraitor also worked to further obscure the transaction trail, as by the Blockchain intelligence platform TRM Labs, through the use of 鈥渕ultiple intermediary wallets, decentralized exchanges (DEXs), and cross-chain bridges.鈥 Moreover, Zhou that the hackers started using BTC and ETH mixers. As the name implies, mix transactions which further inhibits blockchain analysts鈥 ability to track the funds. Following the use of mixers, these North Korean operatives are leveraging (P2P) vendors, platforms facilitating the direct purchase and selling of crypto from one user to another.
Additionally, it appears that the threat actors are leveraging , provided by organized crime syndicates in and countries throughout Southeast Asia. Use of this service seeks to further obfuscate funds, reducing traceability and seemingly utilizing a 鈥溾 tactic. This tactic seeks to overwhelm compliance analysts, law enforcement, and blockchain analysts by performing thousands of transactions, both through DEXs and wallet-to-wallet transfers. After the costly efforts to hide the transaction trail, the ultimate goal of this process will be to convert the funds into fiat currency, or currency issued by a government like the US dollar or the euro.
As the threat actors engage in this laundering process, Bybit, law enforcement, and partners from across the industry continue to actively work to recover the funds. However, the timeframe where funds can be frozen or recovered moves rapidly. Within the laundering process there are three main where the funds can be frozen: when it鈥檚 exchanged for BTC; when it's exchanged for a stablecoin, or any cryptocurrency with its value to stable assets like fiat currency; or when it's cashed out at exchanges. As the window for seizure at these stages is extremely small, it requires efficient collective action from law enforcement, cryptocurrency services and exchanges, and international actors. The more time that passes, the more difficult recovery becomes.
Discussions around security in the crypto industry are not new, but this incident once again highlights the need for change. A lot of insecurity in crypto amounts to a lack of basic cyber hygiene, a problem endemic to businesses across sectors, industries, and countries. This industry is full of startups that grow rapidly. Often, when these startups are trying to 鈥渕ake it,鈥 cybersecurity measures may become an afterthought, especially when companies lack the funds or personnel for such measures. The problem isn鈥檛 unique to those new to business; however, even well-established companies may let cybersecurity fall to the wayside or may lack the education to understand the rapidly evolving threat landscape.
Additional security measures from either Safe{Wallet} or Bybit would have reduced the likelihood of this incident occurring. For instance, pre-signing simulations would have allowed employees to preview the destination of a transaction. Enacting delays for large withdrawals also would have given Bybit time to review the transaction and freeze the funds. Utilizing more transaction validation, through methods like (reviewing the raw data in a smart contract versus the UI) or (verifying the transaction outside of the blockchain), could have prevented this incident as well.
Policy solutions should put more emphasis on educating industry actors around major threats in crypto and the role of cybersecurity while also incentivizing higher security standards.
That is not to say that the crypto industry does not follow any security standards. For instance, the Financial Action Task Force, an intergovernmental body, sets and updates global for anti-money laundering (AML) protocols and Know Your Customer (KYC) processes for customer verification and risk assessments of those customers. These have largely been codified by the Financial Crimes Enforcement Network (FinCEN) in the United States. Back in 2013, FinCEN also that the Bank Secrecy Act and its AML standards apply to administrators and exchanges in crypto.
However, things get tricky when one considers that in the United States and most countries, crypto is still largely unregulated, and the efficacy of its current regulation is often debated. Many argue that regulation effective for securing banks is less effective in the crypto space due to the industry鈥檚 decentralized nature. Crypto needs more security regulations, but it also needs new solutions that take into account its differences from fiat financial institutions.
Both the and have turned to regulatory sandboxes, controlled environments where crypto firms can test new technologies and business models, to find an array of solutions to issues posed by crypto while still promoting innovation. Policymakers in the United States should similarly utilize sandboxes to try to find more effective AML and KYC solutions for the crypto space to ensure effective and efficient regulation.
In addition to US regulation, cooperation and collaboration鈥揹omestically and internationally鈥搃s imperative, particularly given the limited opportunity that exists to freeze or recover stolen funds. Efficient coordination between industry actors, government agencies, and law enforcement must be included in any efforts to strengthen the security of cryptocurrency. Information sharing organizations like and , with partners across the cryptocurrency industry, work to improve the speed and integration of efforts to stem cryptocurrency thefts. The to the Bybit heist is a great example of the value of collaboration. Yet, the need for ever faster action remains.
Continuing to formalize channels between different industry actors, governments, and law enforcements, while still maintaining the decentralized nature of crypto, would advance faster incident response as well as improve incident preparedness.
Additionally, response times can be improved by ensuring individuals working across the agencies involved in preventing financial crime receive training on cryptocurrency and how to leverage its 鈥渋nvestigative power.鈥
Moreover, would improve coordination and collaboration efforts. Harmonization would allow for ease of collaboration across jurisdictions, pivotal for intervening in the small windows of opportunity to regain stolen funds.
Overall, building a secure crypto industry will require clearer regulatory environments that companies can safely operate in, innovative policy solutions, higher security standards, and formalizing international and domestic partnerships. Securing the crypto industry must be made a priority if we wish to mitigate the illicit funding of the DPRK鈥檚 weapons programs.
The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders. Read more
