North Korea crypto hacks in 2025: The $1.5 billion Bybit heist and beyond

1. What happened in the North Korea crypto hack?

On February 21, 2025, hackers struck Bybit during a routine transfer of over 400,000 Ethereum (ETH) and staked Ethereum (stETH) from its cold wallet to its warm wallet. The attack didn’t exploit smart contracts or infrastructure vulnerabilities as many expected. Instead, it relied on a sophisticated blend of social engineering and malware. According to blockchain analysts at Elliptic and TRM Labs, the Lazarus Group manipulated the user interfaces of Bybit employees’ multisig wallets, tricking them into authorizing a fraudulent transaction that redirected the funds to hacker-controlled addresses.

• Timeline: The breach occurred at approximately 12:30 PM UTC, with Bybit detecting unauthorized activity within hours.

• Scale: The $1.5 billion haul surpasses North Korea’s total reported crypto thefts of $1.3 billion in 2024, per Chainalysis.

• Market Impact: Bitcoin dropped over 10% to below $90,000 in the days following, reflecting shaken investor confidence.

Bybit responded swiftly, replenishing its reserves with emergency loans and launching a public bounty program offering up to $140 million for help tracing the stolen funds. As of February 27, 2025, $42.3 million (3% of the total) has been frozen, but the majority remains at large.

2. Who are the Lazarus Group?

The Lazarus Group, also known as "TraderTraitor," is a North Korean state-sponsored hacking collective notorious for its North Korea crypto hacks. Active since at least 2009, the group has evolved from targeting traditional financial systems—like the 2014 Sony Pictures hack—into a crypto theft powerhouse. Experts estimate they’ve stolen over $6 billion in digital assets since 2017, with funds often funneled into North Korea’s weapons programs.

• Training: North Korean hackers begin cyber training as young as 11, mastering techniques like zero-day exploits and phishing.

• Past Heists: Notable thefts include the $625 million Ronin Network hack (2022) and the $85 million Phemex breach (prior to 2025).

• 2025 Milestone: The Bybit hack alone exceeds their 2024 total, showcasing their growing sophistication.

Blockchain detective ZachXBT linked the Bybit attack to Lazarus by tracing funds through wallets previously used in Phemex, BingX, and Poloniex hacks, a finding corroborated by Elliptic and TRM Labs.

3.How did North Korea pull off the biggest crypto heist?

Unlike typical hacks, the Bybit breach didn’t involve brute-force attacks on blockchain protocols. Here’s how it unfolded:

• Initial Breach: Hackers likely used phishing emails to compromise a SafeWallet developer’s device, a multisig platform Bybit relied on for secure transactions.

• Malware Deployment: Malicious code altered the smart contract logic and masked the signing interface, displaying legitimate-looking transaction details to employees.

• Execution: During the wallet transfer, the attackers intercepted and redirected the funds to 50 wallets, each holding roughly 10,000 ETH.

• Laundering: The stolen Ethereum was layered through decentralized exchanges and anonymizing services like eXch, converting portions into Bitcoin to obscure the trail.

Elliptic noted that Lazarus’s laundering techniques are among the most advanced globally, adapting rapidly to evade detection. Arkham Intelligence observed manual transaction patterns, suggesting human oversight rather than full automation—hinting at the group’s meticulous approach.

4. The broader impact of North Korea Crypto hacks

The Bybit heist isn’t an isolated incident but part of a broader trend. North Korea-linked groups like Lazarus and Kimsuky accounted for one in five crypto hacks in 2024, per Chainalysis. In 2025, their dominance continues, raising alarms across the industry.

• Funding the Regime: Stolen crypto fuels North Korea’s ballistic missile and nuclear programs, bypassing sanctions. Kim Jong Un’s recent push to expand nuclear capabilities (reported weeks before the hack) aligns with this uptick in cyber theft.

• Security Wake-Up Call: The attack exposed vulnerabilities in multisig wallet systems and employee training, prompting calls for stronger safeguards.

• Market Volatility: The $1.5 billion loss triggered a crypto market dip, underscoring the systemic risks of such breaches.

Bybit’s CEO, Ben Zhou, declared a “war on Lazarus,” launching lazarusbounty.com to crowdsource efforts to track over 6,000 associated wallet addresses. The exchange’s transparency and rapid response have been praised, but recovering the full amount remains a long shot given Lazarus’s laundering expertise.

5. Conclusion

North Korea crypto hacks like the Bybit heist highlight the intersection of geopolitics and digital finance. With the Lazarus Group at the helm, these attacks are more than just theft—they’re a lifeline for a sanctioned regime. As the crypto industry grapples with this $1.5 billion loss, enhancing security and collaboration will be critical to combat this growing threat. Stay vigilant, and explore trusted communities to navigate this evolving landscape safely.

Read more:

• Crypto airdrop scams: Red flags you need to know to protect your assets
• What is an Exit Scam? How Investors can Avoid Exit Scams
• What is MT6? Tips to Avoid MT6 Scams for Investors