ByBit Hack: How North Korea Stole $1.5 Billion in Crypto

On February 21, 2025, one of the biggest crypto exchanges in the world, Bybit, got hit by the largest cryptocurrency heist in history. Hackers linked to North Korea walked away with $1.5 billion in Ethereum. Not just any hackers-state-sponsored cyber operatives from a secretive unit called TraderTraitor, part of North Korea’s Reconnaissance General Bureau. This wasn’t a random break-in. It was a precision strike on the heart of crypto security: a cold wallet.

How They Broke Into a Cold Wallet

Cold wallets are supposed to be unbreakable. They’re stored offline, disconnected from the internet, shielded from remote attacks. Bybit used multi-signature cold wallets, meaning you needed multiple private keys to move funds. It’s the gold standard. So how did they get in?

The answer isn’t simple. Investigators from TRM Labs and the FBI believe one of three things happened: a supply chain attack, an insider leak, or a private key compromise so advanced it bypassed all protections. The hackers didn’t brute-force their way in. They didn’t use phishing emails or malware. They slipped in quietly, maybe through a compromised software update, a trusted employee, or a zero-day exploit in the wallet’s signing system.

Once inside, they moved fast. Within minutes, they transferred the entire $1.5 billion out of Bybit’s vaults. The stolen Ethereum didn’t sit still. It flowed through Binance Smart Chain, Solana, and other blockchains, each transfer designed to muddy the trail. By the time the trail cooled, most of it had been converted into Bitcoin-harder to trace, easier to move across borders.

The TraderTraitor Unit: North Korea’s Crypto Hit Squad

This wasn’t the first time North Korea stole crypto. In 2024 alone, they pulled off 47 separate thefts totaling $800 million. But TraderTraitor is different. It’s not part of the old-school Lazarus Group that used to spam phishing links. This unit is specialized, well-funded, and focused on one thing: stealing crypto at scale.

They’ve been active since at least 2022. Previous targets include JumpCloud, a cloud identity provider, and other software platforms. Their specialty? Supply chain compromises. Instead of attacking the end user, they infect the tools developers use-updates, libraries, APIs-and wait for the vulnerability to spread. It’s like poisoning the water supply instead of breaking into houses.

The FBI named this operation “TraderTraitor” to isolate it from other North Korean hacking groups. That’s rare. It means they’re treating this like a national security threat, not just a financial crime.

Why Cold Wallets Failed

The biggest shock wasn’t the amount stolen. It was how they stole it. Cold wallets were the last line of defense. If they can be breached, what’s safe?

The truth is, cold wallets aren’t magic. They’re only as secure as the people managing them. If a key is ever exposed-even once-during a signature request, or if a hardware device is tampered with during manufacturing, the whole system collapses. Bybit’s setup was strong on paper. But no system is foolproof against a well-resourced, patient state actor.

This attack exposed a blind spot: exchanges rely on human processes to manage keys. A single person, under pressure, with the wrong access, can become the weakest link. And North Korea doesn’t need to hack thousands of users. They just need to get one.

How the Stolen Money Moved

After stealing the Ethereum, the hackers didn’t cash out. They didn’t go to a shady exchange. Instead, they used a flood-the-zone strategy.

They split the funds across thousands of addresses. They used cross-chain bridges to move money between Ethereum, Solana, BSC, and others. They mixed transactions with legitimate ones. They sent small amounts to dozens of wallets, then aggregated them later. It wasn’t about hiding-it was about overwhelming.

TRM Labs tracked every move and tagged the addresses as “Bybit Exploiter Feb 2025.” They published the list. The FBI asked exchanges, DeFi platforms, and node operators to block transactions from those addresses. Some did. Others didn’t. That’s the problem-there’s no global enforcement.

Most of the Bitcoin converted from the stolen Ethereum is still sitting in a few dozen wallets. Not moving. Not spending. Why? They’re waiting. For the right buyer. For a quiet OTC trade. For a time when no one’s watching.

Why This Matters Beyond Crypto

This isn’t just about crypto losses. It’s about nuclear weapons.

A United Nations report confirmed that North Korea uses cyber theft to fund its military programs. About half of its foreign currency income now comes from hacking. That $1.5 billion? It could buy hundreds of missiles. Or enrich enough uranium for a dozen warheads.

The Biden administration called this “a direct threat to global security.” Not “a bad day for Bybit.” Not “a market dip.” A national security crisis.

Crypto exchanges are now targets on par with banks, power grids, and defense contractors. And unlike banks, most crypto platforms don’t have federal regulators breathing down their necks. They’re underfunded, understaffed, and overconfident in their tech.

What’s Changed Since the Hack

In the weeks after the attack, the crypto world scrambled.

- TRM Labs and Chainalysis rolled out real-time monitoring for flagged addresses.

- Major exchanges updated their key management protocols, adding mandatory hardware security modules and human approval delays.

- The FBI started sharing threat intel directly with private companies-not through slow government channels, but via encrypted, real-time feeds.

- Some exchanges began requiring multi-person physical access for any key usage, even for small transfers.

But the big question remains: Can you really stop a nation-state that has nothing to lose?

What You Can Do

If you’re a regular crypto user, this hack doesn’t change much. Your small holdings aren’t the target. But if you run a business, manage funds, or work at an exchange, here’s what you need to do:

• Never store keys on internet-connected devices-even if they’re encrypted.
• Require at least three human approvals for any large transfer, with physical presence or biometric verification.
• Use hardware security modules (HSMs) that are air-gapped and tamper-resistant.
• Monitor all outbound transactions against public lists of known stolen addresses.
• Train staff to recognize supply chain risks-updates, plugins, third-party APIs are not safe.

The Bigger Picture

North Korea isn’t going to stop. Their economy is crumbling. Sanctions are biting. And crypto is their lifeline.

This hack proves they’ve moved beyond crude attacks. They’re now operating like elite military units-with budgets, training, and patience. They don’t need to steal from millions. One big win is enough.

The next target? Maybe Coinbase. Or Kraken. Or a major DeFi protocol with weak key controls. Or a wallet provider that outsources its security to a vendor in a country with lax cyber laws.

The rules of the game have changed. Crypto isn’t just a financial innovation anymore. It’s a battlefield. And the enemy isn’t some anonymous hacker in a basement. It’s a government with a nuclear arsenal-and a bank account full of stolen ETH.

What’s Next?

The stolen funds will likely resurface. Maybe in a luxury property in Dubai. Maybe through a shell company in the UAE. Maybe as a payment for weapons-grade materials.

The world is watching. But no one has a real solution. Encryption can’t stop a traitor. Firewalls can’t stop a compromised update. And no amount of blockchain transparency can fix a broken human process.

This isn’t over. It’s just the beginning.