Bybit Postmortem — CoinYield

Bybit Hack — February 2025 Post-Mortem (Aggregated)

Overview

The FBI confirmed that North Korea was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange Bybit on or about February 21, 2025. The $1.4 billion hack is the largest in the history of the crypto industry.

Attack Method

A social engineering attack was used to steal an estimated $1.4 billion in tokens from Bybit's cold wallet. The sophisticated attack involved multiple layers:

• Earlier in February 2025, a developer for Safe{Wallet} fell for a social engineering attack, and his workstation was compromised by malicious actors.

• These threat actors stole AWS session tokens and, by hijacking active tokens, bypassed MFA controls and gained access to Safe{Wallet}'s AWS account.

• Once they had access to Safe{Wallet}'s system, they replaced benign JavaScript code with code designed to change the intended destination of ETH in the wallet to wallets controlled by North Korean operatives.

• When Bybit employees went to approve and sign a routine transfer, the UI showed what appeared to be a legitimate transaction with the intended destination. Only after the transfer of funds to the hidden addresses set by the malicious code did Bybit employees realize something was amiss.

Attribution

FBI refers to this specific North Korean malicious cyber activity as "TraderTraitor." The theft has been attributed to Lazarus Group, an infamous North Korean criminal hacking group. The North Korean government routinely uses Lazarus Group to commit large-scale ransomware attacks to generate funds for the country's nuclear and ballistic missile program.

Response and Recovery

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

Bybit launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who assist in retrieving the stolen crypto.