2025 Crypto Crime Report: See the key trends that shaped the illicit crypto market over the past year. Read the report

Solutions
Learn
Company
Request a demo
en
Search
Search
Insights
February 27, 2025

The Bybit Hack: Following North Korea’s Largest Exploit

TRM InsightsInsights
The Bybit Hack: Following North Korea’s Largest Exploit

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered an unprecedented cyberattack, resulting in the theft of approximately USD 1.5 billion in Ethereum tokens. This event now stands as the largest exploit on record, surpassing previous high-profile exchange breaches and raising serious concerns about the increasing sophistication of cybercriminals. 

To put the magnitude of the USD 1.5 billion hack into perspective, according to TRM’s 2025 Crypto Crime Report, North Korea was responsible for about USD 800 million in stolen cryptocurrency (including only attacks for which TRM has moderate or higher confidence) in all of 2024. According to the report, North Korea accounted for approximately 35% of all stolen funds in 2024 and North Korean attacks were nearly five times larger than those by other actors underscoring their emphasis on high-impact operations.

Funds moving off of ByBit after the initial hack as shown in TRM Graph Visualizer

Almost immediately following the ByBit hack, TRM identified and tagged the compromised addresses as “Hacked” or “Stolen Funds” and established a dedicated tracking entity labeled "Bybit Exploiter Feb 2025" to monitor the movement of the stolen assets in real time. 

Through blockchain intelligence, TRM Labs confirmed that North Korean hackers were responsible for the breach, linking it to previous state-sponsored crypto heists. The evidence revealed clear overlaps between the wallets used in this operation and those associated with past North Korean thefts. On February 26, 2025, the FBI officially linked the heist to North Korea.

This attribution aligns with a longstanding pattern of cyber operations orchestrated by Pyongyang, which, according to TRM, has resulted in the theft of over USD 5 billion worth of cryptocurrency since 2017​. The Bybit attack mirrors North Korea’s established tactics of targeting centralized crypto exchanges through methods such as phishing, supply chain compromises, and private key theft—strategies previously employed in incidents like the Atomic Wallet hack of 2023, which led to the loss of USD 100 million in cryptocurrency from over 4,100 individual addresses​.

An Evolving Laundering Strategy

Beyond the sheer scale of the Bybit hack, the speed at which the stolen funds are being laundered is particularly alarming. Within 48 hours, at least USD 160 million had been funneled through illicit channels, with TRM estimating that the total surpassed USD 200 million by February 23. By February 26, over USD 400 million had been moved, indicating an unprecedented level of operational efficiency. 

The laundering process, as of February 26, 2025, includes transfers through multiple intermediary wallets, conversion into different cryptocurrencies, and the use of decentralized exchanges, and cross-chain bridges to obfuscate the trail. 

The rapid laundering process, as of February 26, 2025, includes transfers through multiple intermediary wallets, conversion into different cryptocurrencies, and the use of DEXs, and cross-chain bridges to obfuscate the trail

This rapid laundering suggests that North Korea has either expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds. The scale and velocity of this operation present new challenges for investigators, as traditional anti-money laundering mechanisms struggle to keep pace with the high volume of illicit transactions.

Historically, North Korean cybercriminals have relied on cryptocurrency mixers to obscure the origins of stolen funds before converting them into fiat currency. However, the vast amount of assets stolen in the Bybit attack renders traditional mixing services impractical. Instead, the attackers have adopted a multifaceted strategy involving multiple intermediary wallets, decentralized exchanges, and cross-chain bridges to rapidly obfuscate the source of the funds. 

Initially, portions of the stolen Ethereum were routed through networks such as Binance Smart Chain and Solana, but the majority has now been converted directly into Bitcoin. Despite the swift movement of assets, most of the converted Bitcoin remains largely stationary, suggesting that the hackers are preparing for large-scale liquidation or further obfuscation through over-the-counter (OTC) networks.

This shift in laundering tactics reflects North Korea’s increasing reliance on cross-chain bridges and high-volume transaction strategies, as detailed in a TRM report on DPRK cyber activity​. In previous heists, North Korean hackers utilized platforms like Ren Bridge and Avalanche Bridge, often converting funds into Bitcoin before employing mixers such as Sinbad, YoMix, Wasabi Wallet, and CryptoMixer​. However, due to heightened scrutiny on mixing services and enforcement actions against platforms like Tornado Cash, North Korea now appears to prioritize speed and automation over traditional anonymity. 

According to TRM’s North Korea expert, and former FBI subject matter expert, Nick Carlsen, “The Bybit exploit indicates that the regime is intensifying its “flood the zone” technique—overwhelming compliance teams, blockchain analysts, and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts.”

From Counterfeiting to Crypto

For decades, North Korea has operated as a rogue state, heavily sanctioned by the international community due to its nuclear ambitions, human rights abuses, and illicit financial activities. Facing economic isolation, Pyongyang has long relied on criminal enterprises to fund its regime, developing a sophisticated global network of illicit revenue streams. Well before its involvement in cryptocurrency theft, North Korea engaged in large-scale counterfeiting of U.S. dollars, famously producing near-perfect "supernotes," as well as smuggling counterfeit cigarettes, narcotics trafficking, and weapons sales. 

In 2016, the regime escalated its financial cybercrimes with the Bangladesh Bank heist, in which North Korean hackers infiltrated the SWIFT banking network and attempted to steal $1 billion, successfully walking away with $81 million. That attack marked the first known instance of a nation-state conducting cyber-enabled financial crime at scale, proving that North Korea’s cyber capabilities were not only advanced but also uniquely focused on financial theft. 

Pyongyang’s hackers continued their global assaults, including the 2014 Sony Pictures hack, a retaliatory cyberattack that crippled the company’s systems following the release of The Interview, a satirical film about Kim Jong-un. As sanctions tightened and traditional criminal operations became more difficult to sustain, North Korea found an ideal target in cryptocurrency exchanges and decentralized finance platforms, exploiting vulnerabilities in the emerging digital asset ecosystem to steal billions. What began as a reliance on illicit trade and cyber heists has now evolved into a national campaign of large-scale crypto theft, positioning North Korea as the most prolific financial cybercriminal on the global stage.

A History of North Korean Cryptocurrency Heists

The Bybit hack is the latest in a series of high-profile cryptocurrency thefts attributed to North Korea’s Lazarus Group. Lazarus Group is not state sponsored in the traditional way we think about state sponsored groups. Lazarus Group is North Korea and North Korea is Lazarus Group. These cybercriminals have demonstrated a consistent ability to adapt and evolve their tactics to exploit vulnerabilities within the cryptocurrency ecosystem. 

  • Atomic Wallet Hack (June 2023): North Korean hackers targeted users of Atomic Wallet, a non-custodial wallet provider, resulting in the theft of approximately USD 100 million worth of cryptocurrency from over 4,100 individual addresses. The nature of the attack suggests it was likely executed through a phishing or supply chain compromise​.
Stages of Atomic Wallet hack visualized in TRM Forensics: ETH is programmatically laundered through several layers of intermediaries with intertwining paths, before exiting to ninety two (92) first-time Ethereum addresses. WETH is then bridged to Avalanche blockchain, swapped to WBTC and then bridged to the Bitcoin blockchain.
  • Stake Exploit (September 2023): The FBI confirmed that the Lazarus Group was behind the theft of approximately USD 41 million in crypto assets from Stake.com, an online casino and betting platform. The stolen assets were taken from addresses controlled by Stake on Ethereum, Binance Smart Chain, and Polygon blockchains​.
Stake.com hackers quickly moved the stolen funds across multiple currencies and multiple chains, which can easily be seen on one graph in TRM’s Graph Visualizer
  • Ronin Bridge Hack (March 2022): In one of the most significant DeFi exploits, North Korean hackers compromised the Ronin Bridge, a cross-chain bridge associated with the Axie Infinity game, resulting in the theft of over USD 600 million in cryptocurrency​.
North Korea hackers move stolen funds through mixer Tornado Cash after Ronin Bridge hack
  • WazirX Exchange Breach (2024): North Korean state-sponsored hackers stole USD 235 million from WazirX, India's largest cryptocurrency exchange, as part of a broader campaign that netted $659 million through multiple cryptocurrency heists in 2024​.
  • DMM Bitcoin Exchange Hack (2024): A significant heist included the theft of USD 305 million worth of bitcoin from Japan's DMM Bitcoin exchange, contributing to North Korea's record USD 1.34 billion in cryptocurrency thefts that year​.

These incidents, among others, highlight a pattern of North Korean cyber actors targeting centralized exchanges, decentralized finance platforms, and individual wallet providers. Their methods often involve sophisticated social engineering, phishing campaigns, and exploitation of software vulnerabilities to gain unauthorized access to digital assets.

Countermeasures and the Industry’s Response

In response to the Bybit attack, the exchange has implemented a bounty program offering a 10% reward on any successfully frozen or recovered assets. This initiative aims to mobilize both professional blockchain investigators and independent analysts, increasing scrutiny on laundering networks and adding an additional layer of complexity for the perpetrators. Such collaborative efforts reflect a broader industry trend where exchanges and security firms leverage financial incentives to crowdsource investigative resources and enhance real-time tracking of illicit transactions.

Concurrently, TRM, working closely with law enforcement agencies, national security organizations, regulators, and the broader cryptocurrency industry, continues to work tirelessly to trace, freeze, and recover the stolen funds.

This attack underscores the urgent need for improved cybersecurity measures, real-time transaction monitoring and robust cross-border intelligence sharing. The capability of state actors and cybercriminals to orchestrate attacks of this scale and swiftly launder stolen funds indicates that financial crime networks are becoming increasingly sophisticated.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
June 12, 2023

TRM Talks: The North Korea Threat

arrow right
April 15, 2022

TRM Talks North Korea and CNAS Report

arrow right
September 20, 2023

TRM Talks: Lazarus Heist with Jean Lee

arrow right
September 8, 2023

FBI Confirms that North Korea was Behind $41 Million Stake.com Exploit 

arrow right
January 5, 2024

North Korean Hackers Stole $600 Million in Crypto in 2023

arrow right
January 20, 2022

North Korean threat actors continue to target cryptocurrency businesses

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT