Since the incident, crypto fraud investigator ZachXBT discovered multiple links to the infamous North Korean threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address used in the Phemex, BingX, and Poloniex hacks previously linked to Lazarus Group hackers. On Wednesday, the FBI encouraged RPC node operators, exchanges, bridges, DeFi services, blockchain analytics firms, and other cryptocurrency service providers to block transactions originating from addresses used by North Korean hackers to launder the stolen assets. The Safe Ecosystem Foundation confirmed their findings, revealing the attack was conducted by first hacking into a Safe{Wallet} developer machine, which provided the North Korean hackers access to an account operated by Bybit. "The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People's Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025," the FBI said in a Public Service Announcement issued on Wednesday. The state-sponsored hacking group (tracked as TraderTraitor, Lazarus Group, and APT38) intercepted a scheduled transfer of funds from one of Bybit's cold wallets into a hot wallet, subsequently redirecting the cryptocurrency to a blockchain address under their control. On Wednesday, Bybit CEO Ben Zhou also shared two preliminary post-mortems of the incident from cybersecurity company Sygnia and finance security firm Verichains, which found that the attack originated from infrastructure operated by multisig wallet platform Safe{Wallet}. "The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction," Safe said. The U.S. federal law enforcement agency also shared 51 Ethereum addresses of those who held or still hold cryptocurrency stolen from Bybit on Friday and were linked to the Lazarus hackers. FBI has confirmed that North Korean hackers stole $1.5 billion from cryptocurrency exchange Bybit on Friday in the largest crypto heist recorded until now.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Feb 2025 07:25:25 +0000