North Korea Steals Record $1.5B in Crypto Attack

A sophisticated cyberattack attributed to North Korean hackers has resulted in the largest cryptocurrency heist in history, with $1.5 billion stolen from exchange Bybit in late February, according to FBI investigators.

The unprecedented theft occurred on February 21 when hackers successfully redirected funds during what should have been a routine transfer from Bybit’s cold wallet, shocking the cryptocurrency industry and raising serious concerns about security vulnerabilities in centralized exchanges.

Supply Chain Attack Exploited Developer Access

Forensic investigations revealed that the attack didn’t target Bybit directly, but instead compromised a developer at Safe{Wallet}, the multi-signature wallet solution used by the exchange. The FBI has formally attributed the theft to the North Korean state-sponsored hacking group known as “TraderTraitor,” according to The Record.

“The developers machine was exploited to inject malicious JavaScript code into the Safe user interface,” explained Bybit CEO Ben Zhou in a statement following the incident. The code specifically targeted Bybit’s wallet while leaving other users unaffected.

Security researchers at Mandiant discovered that hackers first compromised the developer’s laptop on February 4 when it interacted with a malicious Docker project, allowing attackers to access Amazon Web Services infrastructure where Safe{Wallet}’s code was hosted.

Social Engineering Enabled Perfect Deception

The attack’s sophistication lay in its ability to present Bybit’s transaction signers with what appeared to be legitimate transaction data. When initiating a routine transfer, the compromised interface showed correct information while secretly modifying critical parameters in the transaction.

By changing a single operation code from “0” to “1,” the transaction was transformed from a standard transfer into a “delegatecall” that gave attackers complete control of the wallet. This subtle modification went undetected as multiple signers approved what they believed was a routine transaction.

Exchange Maintains Solvency Despite Record Loss

Despite the unprecedented scale of the theft, Bybit acted quickly to secure emergency loans and restore customer funds. Within 72 hours, the exchange had fully replenished its reserves through a combination of loans from firms including Galaxy Digital, FalconX and Wintermute, according to CNBC.

“Bybit fully backs all customer assets entrusted to our platform, maintaining a dynamic ratio of over 1:1,” Zhou confirmed after completing a fresh audit to demonstrate the exchange’s solvency. All customer withdrawals remained accessible throughout the incident.

North Korean Hackers Accelerate Crypto Theft Operations

This single attack surpassed North Korea’s entire 2024 cryptocurrency theft total of $1.34 billion across 47 separate incidents. Security researchers have observed the stolen funds being rapidly dispersed across thousands of blockchain addresses as the hackers attempt to launder the cryptocurrency.

The FBI has called on cryptocurrency exchanges and service providers to block transactions associated with addresses linked to the attack. Bybit has offered a bounty of 10% for the recovery of stolen funds, though recovery prospects remain slim based on historical precedent.

Industry Rethinks Security After Historic Breach

The attack has prompted urgent reassessments of security practices across the cryptocurrency industry. Safe{Wallet} has implemented enhanced security measures, including a full infrastructure reset, improved transaction verification interfaces, and additional validation protocols.

Security experts emphasize that the incident highlights vulnerabilities in the human elements of the security chain rather than in blockchain technology itself. The compromise of a single developer’s machine enabled attackers to circumvent sophisticated multi-signature security systems without ever needing to crack encryption or steal private keys.