Key Takeaways
- The FBI has identified North Korea as responsible for the $1.5 billion Bybit crypto heist.
- TraderTraitor actors are dispersing the stolen digital assets across thousands of blockchain addresses.
Share this article
The Federal Bureau of Investigation (FBI) announced Wednesday they have found North Korea as the entity they believe was responsible for the $1.5 billion Bybit crypto theft. The agency has labeled this cyber activity “TraderTraitor.”
The attack, which occurred on Feb. 21, has gone down as the largest publicly disclosed crypto hack on record. Lazarus Group, North Korea’s notorious hacking organization, has been identified as the actors who executed the massive cyber intrusion against Bybit.
According to the federal authorities, TraderTraitor actors have already begun converting the stolen assets to Bitcoin and other digital assets, dispersing them across thousands of addresses on multiple blockchains. The agency expects these assets will undergo further laundering before being converted to fiat currency.
The FBI is urging private sector entities, including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with addresses linked to TraderTraitor actors.
The agency has released a list of 48 Ethereum addresses that are either holding or have held assets from the theft, identifying them as operated by or closely connected to North Korean TraderTraitor actors.
Bybit confirms $1.5 billion hack link to Lazarus Group
On Wednesday Bybit disclosed an interim investigation report regarding the attack. The report revealed compromised Safe(Wallet) credentials as the cause, resulting in the theft of $1.5 billion in Ethereum. The credentials of a Safe developer were compromised, allowing unauthorized access and a malicious transaction to be executed.
The compromise occurred during a fund rotation operation via Safe(Wallet) where malicious JavaScript was injected into Safe’s AWS S3 bucket, affecting the multisig transaction process. Although Bybit’s infrastructure was not directly breached, the attack originated from a compromised Safe developer machine, influencing a critical Bybit transfer. The exchange said it is actively tracking and working to retrieve stolen funds and will release latest updates as soon as they are available.
Share this article
