ByBit Hack: How North Korea Stole $1.5 Billion in Crypto

On February 21, 2025, one of the biggest cryptocurrency exchanges in the world, Bybit, was hit by a cyberattack that stole $1.5 billion in Ethereum. It wasn’t just a glitch or a lucky phishing attempt. This was a state-backed operation, meticulously planned, and executed by North Korea’s most advanced hacking unit: TraderTraitor. The heist didn’t just break records-it shattered assumptions about what’s secure in crypto.

How a Cold Wallet Got Hacked

Cold wallets are supposed to be the gold standard for crypto security. They’re offline, disconnected from the internet, and protected by multi-signature systems that require multiple keys to move funds. Bybit used them. So did most top exchanges. But TraderTraitor didn’t need to break in through the front door. They found the back door.

Experts from TRM Labs believe the attack came from one of three places: a supply chain compromise, an insider with access to private keys, or a flaw in how the multi-signature system was configured. The hackers didn’t brute-force their way in. They didn’t use malware. They didn’t trick employees with fake emails. They exploited a structural weakness-something buried deep in the exchange’s security architecture that no one had noticed.

Once they had the keys, they moved fast. Within hours, the stolen Ethereum was sent through cross-chain bridges to Binance Smart Chain, Solana, and other networks. Then, it was converted into Bitcoin. Why Bitcoin? Because it’s harder to trace at scale. Bitcoin’s network is older, more liquid, and has more OTC (over-the-counter) channels where large sums can be swapped without leaving digital footprints.

TraderTraitor: North Korea’s New Cyber Weapon

TraderTraitor isn’t a name you’ll find in old news reports. It’s a new designation from the FBI, created specifically for this operation. It’s a subunit of the Lazarus Group, which itself is part of North Korea’s Reconnaissance General Bureau-the country’s shadowy intelligence arm. For years, Lazarus has been stealing crypto through phishing and malware. But TraderTraitor is different.

Since at least 2022, this group has shifted from random attacks to precision strikes. They’ve targeted cloud providers, software vendors, and even development platforms like JumpCloud. Their goal isn’t just money-it’s funding North Korea’s nuclear program. In 2024, the UN estimated that half of the DPRK’s foreign currency came from cybercrime. This $1.5 billion theft alone was more than the total stolen in all of 2023.

What makes TraderTraitor dangerous isn’t just the amount. It’s the speed. They don’t use mixers like Tornado Cash anymore-those are now tracked and blocked. Instead, they flood the system. Thousands of tiny transactions across dozens of blockchains. Automated. Fast. Designed to overwhelm analysts and make tracing impossible.

The Ripple Effect Across Crypto

After the hack, blockchain analytics firms like TRM Labs sprang into action. They tagged every address connected to the theft under the label “Bybit Exploiter Feb 2025.” Exchanges were asked to freeze those addresses. RPC node operators were instructed to block transactions. The FBI released a public list of compromised wallet addresses-something they rarely do. This wasn’t just a security alert. It was a national security notice.

But the damage went beyond wallets. It hit trust. Investors started asking: If even Bybit’s cold wallets could be breached, what’s safe? Decentralized exchanges? Self-custody wallets? The answer, for now, is nothing is foolproof. The attack proved that state-level hackers can bypass even the most advanced security layers if they have enough time, resources, and patience.

Major exchanges have since upgraded their key management systems. Some now use hardware security modules (HSMs) with geographically distributed key shards. Others are moving to threshold signatures, where no single person holds a full key. But these fixes take months. And TraderTraitor is already moving on.

Why Crypto Exchanges Are Prime Targets

North Korea doesn’t target banks because they’re too heavily guarded. They don’t hack credit card networks because the fraud detection systems are too advanced. But crypto exchanges? They’re different. They handle billions in digital assets. They’re often underfunded in security. Many still rely on outdated tools. And unlike banks, they don’t have government-backed insurance.

The math is simple for Pyongyang: steal $1.5 billion from an exchange, and you get enough hard currency to fund a year’s worth of missile tests. The return on investment is unmatched. And with fewer global regulations, fewer audits, and less accountability, crypto remains the easiest way to move stolen money without getting caught.

The Bybit hack didn’t come out of nowhere. It was the result of years of refinement. Each previous heist-$200 million from Ronin Bridge, $625 million from Harmony Horizon-taught them something. They learned how to bypass multi-sig, how to exploit bridge vulnerabilities, how to hide in plain sight.

What Comes Next?

The industry is scrambling. Exchanges are hiring former intelligence officers. Regulators are pushing for mandatory security audits. The U.S. Treasury is considering sanctions on any exchange that doesn’t block known stolen funds. But North Korea isn’t waiting. They’re already planning the next one.

The real question isn’t whether another $1 billion heist will happen. It’s when. And who will be next.

How to Protect Your Crypto After a Hack Like This

If you hold crypto, here’s what you should do right now:

• Use a hardware wallet like Ledger or Trezor for large holdings. Never leave funds on an exchange long-term.
• Enable multi-signature on your own wallets-even if it’s just 2-of-3 keys split between devices.
• Check if your exchange publishes proof of reserves. If they don’t, move your assets.
• Don’t use centralized bridges. Use direct, audited protocols like LayerZero or Synapse only if you understand the risks.
• Monitor blockchain analytics tools like TRM Labs or Chainalysis for alerts on known stolen addresses.

Most importantly: assume every exchange can be hacked. Your keys, your coins. If you don’t control the private keys, you don’t own the crypto.

Why This Changes Everything

This wasn’t just a theft. It was a warning. North Korea proved that a small, isolated country with limited resources can outmaneuver the world’s most sophisticated financial platforms. They didn’t need zero-day exploits or quantum computers. They just needed patience, persistence, and a clear goal: fund a nuclear arsenal.

The crypto industry thought it was decentralized. It thought it was secure. But when a nation-state decides to steal from you, the rules change. And now, everyone has to play by them.