Hackers linked to North Korea‘s notorious Lazarus Group have orchestrated the largest cryptocurrency theft in history, siphoning approximately $1.5 billion in Ethereum tokens from Bybit exchange on February 21, 2025. The attack, attributed to the entity also known as TraderTraitor or APT38, exploited a vital vulnerability during a scheduled transfer between cold and hot wallet systems, allowing the perpetrators to intercept and redirect funds to addresses under their control.
This record-breaking heist represents the culmination of North Korea’s increasingly sophisticated cyber capabilities, developed over a decade of financially motivated attacks against global financial institutions.
The breach specifically targeted infrastructure connected to the Safe{Wallet} multisig platform, enabling hackers to execute an unauthorized redirection of assets during a routine maintenance procedure. Upon acquisition, the stolen Ethereum tokens were rapidly converted to Bitcoin through a complex laundering operation that involved distributing assets across multiple blockchain addresses, utilizing decentralized exchanges, and implementing cross-chain bridges to obscure the origin of funds. This laundering strategy proved highly effective, with over USD 160 million laundered within just 48 hours after the hack.
Blockchain intelligence firm TRM Labs confirmed North Korean involvement through identification of wallet pattern similarities with previous operations conducted by the Lazarus Group, which has evolved its tactics to include more intermediaries and decentralized platforms. The lack of adequate cybersecurity protocols has been identified as a critical vulnerability in protecting digital assets in the growing Islamic fintech ecosystem as well.
Between 2017 and 2023, North Korean state-sponsored hackers conducted over 58 cyberattacks against cryptocurrency entities, accumulating approximately $3 billion in stolen digital assets, with these illicit funds directly supporting the regime’s weapons programs and providing essential economic relief amid international sanctions. Hardware wallets remain one of the most effective defenses against such sophisticated attacks by keeping cryptocurrency assets in offline storage away from internet-connected systems.
The Federal Bureau of Investigation has released wallet addresses associated with North Korean operations, while cybersecurity experts note that the country’s cyber units have achieved unprecedented efficiency in money laundering, evidenced by their ability to process $400 million of the stolen funds within days of the Bybit incident.
This heist underscores the persistent and evolving threat posed by state-sponsored cyber actors targeting financial infrastructure, particularly in the relatively unregulated cryptocurrency space, which offers attractive opportunities for threat actors seeking to generate substantial revenue while minimizing detection risk.
