On February 21, 2025, cryptocurrency exchange Bybit executed a routine transfer of user funds from their cold wallet to their warm wallet. However, this transaction was anything but routine, resulting in the largest theft of cryptocurrency to date – approximately $1.5 billion worth of ETH.
The Heist
The theft occurred due to a supply chain compromise involving Safe{Wallet}, a third-party multisig platform used by Bybit. In early February 2025, a Safe{Wallet} developer fell victim to a social engineering attack, compromising their workstation and allowing malicious actors to steal AWS session tokens. These tokens enabled the attackers to bypass MFA controls and gain access to Safe{Wallet}’s AWS account.
The attackers manipulated the user interface that Bybit employees saw, replacing benign JavaScript code with malicious code that altered the transaction destination to wallets controlled by North Korean operatives. This code specifically targeted Bybit wallets, highlighting the attack’s targeted nature.
The Culprits
The Democratic People’s Republic of Korea (DPRK) was behind this attack, with the FBI attributing it to TraderTraitor, a subunit of the RGB 3rd Bureau. North Korean cyber threat actors increasingly focus on crypto and blockchain companies due to their high payouts and relatively low risk. In 2023, they stole $660.5 million across 20 incidents, and $1.34 billion across 47 incidents in 2024. This single incident surpassed their total 2023 thefts.
Laundering the Stolen Funds
The stolen ETH must be laundered and exchanged for usable currency. The process is costly and involves significant friction. TraderTraitor converted 86.29% of the stolen ETH to Bitcoin (BTC) on March 20, 2025, likely due to BTC’s harder traceability. They used multiple intermediary wallets, decentralized exchanges, and cross-chain bridges to obscure the transaction trail. The hackers also utilized BTC and ETH mixers, peer-to-peer vendors, and money laundering-as-a-service provided by organized crime syndicates in China and Southeast Asia.
Strengthening Security
This incident highlights the need for improved security measures in the crypto industry. Basic cyber hygiene is often lacking, particularly among rapidly growing startups. Additional security measures such as pre-signing simulations, delayed large withdrawals, and enhanced transaction validation could have prevented this incident. Policy solutions should focus on educating industry actors about major threats and incentivizing higher security standards.
The crypto industry needs clearer regulatory environments, innovative policy solutions, and formalized international partnerships to build a secure ecosystem. Information-sharing organizations like Crypto ISAC and SEAL-ISAC are working to improve incident response. The industry’s response to the Bybit heist demonstrates the value of collaboration, but faster action is still needed.
Conclusion
The $1.5 billion ETH theft from Bybit serves as a stark reminder of the evolving cyber threats in the cryptocurrency space. As the industry continues to grow, prioritizing security measures and international cooperation is crucial to mitigating such illicit activities and their potential to fund malicious programs like the DPRK’s weapons initiatives.
