FBI Links North Korea’s Lazarus Group to $1.5 Billion ‘Bybit’ Cryptocurrency Theft

• FBI confirmed recent suspicions that the notorious Lazarus Group is involved in the Bybit cryptocurrency heist.
• The cyberattack resulted in the theft of around $1.5 billion in virtual assets from the crypto exchange.
• The announcement backs previous security researchers’ findings, exposing overlaps with other Lazarus past attacks.

The Federal Bureau of Investigation (FBI) confirmed that the North Korean hacker collective known as TraderTraitor, commonly identified under aliases such as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima, is responsible for the Bybit cryptocurrency exchange hack.

FBI’s Wednesday announcement said that Lazarus Group, notorious for its advanced cyber theft tactics, is behind the theft of approximately $1.5 billion in virtual assets from Bybit. 

Evidence from crypto investigator ZachXBT supports the FBI’s findings, linking the Bybit theft to earlier hacks on other cryptocurrency platforms, such as Phemex, BingX, and Poloniex. These past attacks had already been identified as the work of the Lazarus Group. 

ZachXBT's analysis revealed that stolen Bybit funds were routed to Ethereum wallets connected to the earlier breaches, solidifying the connection.  

Blockchain analysis firms Elliptic and TRM Labs have reaffirmed these findings, disclosing that the hackers employed sophisticated measures to slow down blockchain tracking efforts that complicated the recovery process.  

The cyberattack occurred on or around February 21, 2025, with the stolen funds already being partially converted into Bitcoin and dispersed across thousands of blockchain addresses.  

The stolen cryptocurrency is expected to be further laundered across multiple blockchain networks before being converted into fiat currency, making recovery efforts increasingly difficult.  

The FBI has called on private sector entities, including RPC node operators, crypto exchanges, DeFi platforms, and blockchain analytics firms, to block transactions originating from or linked to Ethereum addresses associated with the Lazarus Group. 

The FBI also shared a list of Ethereum addresses holding or holding assets from the theft operated by or closely connected to the threat actors. Currently, the Bybit hack bounty reached a total of $140,000,000.

ByBit, which caters to more than 60 million users worldwide, said on Friday an attacker gained control of an ether wallet and transferred the holdings to an unidentified address.