North Korea Responsible for $1.5 Billion Bybit Hack

I. Targeted Entities

Financial Sector, Crypto Space, ByBit, Bybit affiliates, and Bybit customers.

II. Introduction

On February 21, 2025, Bybit, a major cryptocurrency exchange, experienced a security breach that resulted in the loss of $1.5 billion worth of Ethereum. This incident is the largest digital heist in the history of cryptocurrency. Bybit is currently collaborating with experts to trace the stolen assets. They have launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who can assist in retrieving the stolen crypto.

The Lazarus Group, a well-known hacking collective believed to be based in North Korea, has claimed responsibility for the attack. This group is notorious for orchestrating high-profile cyberattacks, particularly targeting financial institutions. In this instance, the attackers infiltrated a developer’s computer associated with the Gnosis Safe wallet, a widely used multi-signature wallet designed for secure management of cryptocurrency assets. Gnosis Safe operates by requiring multiple private key approvals to authorize transactions, providing an added layer of security to prevent unauthorized transfers.

However, the Lazarus Group managed to manipulate the Safe user interface (UI) that was specifically employed for Bybit transactions. By injecting malicious JavaScript into the UI, they were able to create the illusion that Bybit was authorizing a legitimate transaction. This allowed the attackers to bypass security protocols and facilitate the unauthorized transfer of funds, effectively masking their illicit actions as legitimate business operations. This attack highlights the vulnerabilities associated with software development environments and the potential for targeted manipulation of trusted tools like the Gnosis Safe.

III. Additional Background Information

The Lazarus group also known as APT38, has been active since at least 2009. Lazarus group was reportedly responsible for the November 2014 attack against Sony Pictures Entertainment as a part of a campaign named Operation blockbuster by Novetta. The group has been correlated to other campaigns including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.

In 2017, Lazarus group was reportedly responsible for the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh bank; and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The largest cryptocurrency heist attributed to Lazarus prior was in 2024 with the $308 million attack on Japan-based exchange DMM Bitcoin, the compromise of the Japanese cryptocurrency wallet software firm swiftly led to the company’s collapse and was largely known as the single largest crypto theft until now.

IV. MITRE ATT&CK

Initial Access via Supply Chain Compromise (T1071.001): Attackers gained access by compromising a developer’s machine associated with Safe {Wallet}, the platform used by Bybit for managing multi-signature wallets.

User Interface Manipulation (T1071.001): They injected malicious JavaScript into the Safe {Wallet} interface, altering transaction details to mislead wallet signers into approving unauthorized transactions.

Transaction Manipulation (T1071.001): By modifying the appearance and details of transactions, the attackers ensured that the signers unknowingly authorized the transfer of funds to addresses under their control.

Command and Control (T1071.001): The use of malicious JavaScript indicates a command-and-control mechanism to deliver and execute payloads on compromised systems.

V. Recommendations

Some recommendations we can offer to ensure your cryptocurrency is secure and mitigate risks of this hack occurring:

Enhance security around multi-signature wallets
- Improving key management ensures they are used correctly with separate keys stored in different secure locations.
- With regular key rotation, rotating keys are used for signing and it ensures they are in the hands of trusted individuals.
Harden social engineering defenses
- Having users trained and aware of such attacks significantly reduces the chances of these attacks happening.
- Training around phishing and data handling practices strengthens awareness as a whole.

Use hardware wallets (cold storage)
- Hardware wallets allow users to store their private keys offline, making them immune to online attacks.
- A way to avoid keeping larger amounts on exchanges.

Use a trustworthy cryptocurrency exchange – backed by MFA
- A trustworthy exchange can mitigate risks to wallets on the platform if they are backed by multi-factor authentication and require verification for each transaction.
- NEVER sharing your backup codes with anyone.

VI. IOCs (Indicators of Compromise)

The following is a screenshot showing that at the time of transaction signing, cache files containing Javascript resources were created on the Chrome browser of all three signers’ hosts. (From Sygnia’s Investigation Report)

The following shows screenshots of the injected code which activates under the condition that the transaction source matches one of two contract addresses, believed to be the associated threat actor. (From Sygnia’s Investigation Report)

The following shows screenshots of comparisons between the original legitimate JavaScript resources within Safe {Wallet}’s code and the one with the modified malicious resource. (From Sygnia’s Investigation Report)

VII. Additional OSINT Information

The following Ethereum addresses are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors:

0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D

0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8

0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950

0x83Ef5E80faD88288F770152875Ab0bb16641a09E

0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9

0x3A21F4E6Bbe527D347ca7c157F4233c935779847

0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49

0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465

0xb172F7e99452446f18FF49A71bfEeCf0873003b4

0x6d46bd3AfF100f23C194e5312f93507978a6DC91

0xf0a16603289eAF35F64077Ba3681af41194a1c09

0x23Db729908137cb60852f2936D2b5c6De0e1c887

0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e

0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3

0x684d4b58Dc32af786BF6D572A792fF7A883428B9

0xBC3e5e8C10897a81b63933348f53f2e052F89a7E

0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D

0xBCA02B395747D62626a65016F2e64A20bd254A39

0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67

0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a

0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd

0xD3C611AeD139107DEC2294032da3913BC26507fb

0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305

0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806

0x1bb0970508316DC735329752a4581E0a4bAbc6B4

0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57

0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9

0x09278b36863bE4cCd3d0c22d643E8062D7a11377

0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d

0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6

0x30a822CDD2782D2B2A12a08526452e885978FA1D

0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2

0x0e8C1E2881F35Ef20343264862A242FB749d6b35

0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab

0xe69753Ddfbedbd249E703EB374452E78dae1ae49

0x2290937A4498C96eFfb87b8371a33D108F8D433f

0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4

0x52207Ec7B1b43AA5DB116931a904371ae2C1619e

0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b

0x1542368a03ad1f03d96D51B414f4738961Cf4443

0x21032176B43d9f7E9410fB37290a78f4fEd6044C

0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e

0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734

0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6

0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92

0x1512fcb09463A61862B73ec09B9b354aF1790268

0xF302572594a68aA8F951faE64ED3aE7DA41c72Be

0x723a7084028421994d4a7829108D63aB44658315

0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1

0xEB0bAA3A556586192590CAD296b1e48dF62a8549

0xD5b58Cf7813c1eDC412367b97876bD400ea5c489

The list of addresses associated with the Bybit hack are still continuously being updated and the blocklist can be found here.

The following shows how the attackers moved funds off Bybit after the initial hack as shown by TRM Labs. (The following is derived from TRM Labs)

The following shows the rapid laundering process as of March 2, 2025, this includes transfers through multiple wallets and conversions into different cryptocurrencies. (The following is derived from TRM Labs)

VIII. References

Bybit Confirms Security Integrity Amid Safe{Wallet} Incident – No Compromise in Infrastructure. Bybit Press. (2025, February 26). https://www.bybit.com/en/press/post/bybit-confirms-security-integrity-amid-safe-wallet-incident-no-compromise-in-infrastructure-blt9986889e919da8d2

Greig, J. (2024, December 25). FBI attributes largest crypto hack of 2024 to North Korea’s TraderTraitor. Cyber Security News | The Record. https://therecord.media/fbi-largest-crypto-hack-2024-tradertraitor

Internet Crime Complaint Center (IC3) | North Korea responsible for $1.5 billion bybit hack. (2025, February 26). https://www.ic3.gov/PSA/2025/PSA250226

North Korean Regime-Backed Programmer Charged With Conspiracy to. (2025, February 6). https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

Team, C. (2025, February 27). Leveraging transparency for collaboration in the wake of Record-Breaking Bybit theft [UPDATED 2/27/25]. Chainalysis. https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/

The Bybit hack: following North Korea’s largest exploit | TRM Insights. (n.d.). https://www.trmlabs.com/post/the-bybit-hack-following-north-koreas-largest-exploit

Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Nahyan Jamil and Jason Doan