Bybit Hack Linked to Safe{Wallet} Supply Chain Attack Exploited by North Korean Cybercriminals

The U.S. Federal Bureau of Investigation (FBI) has officially attributed the record-breaking $1.5 billion Bybit hack to North Korean cybercriminals, as Bybit CEO Ben Zhou declared “war against Lazarus.”

According to the agency, the Democratic People’s Republic of Korea (DPRK) was behind the massive cryptocurrency theft, linking it to a threat group it tracks as TraderTraitor—also known as Jade Sleet, Slow Pisces, and UNC4899.

“TraderTraitor actors are moving quickly, converting some of the stolen assets into Bitcoin and other cryptocurrencies, distributing them across thousands of blockchain addresses,” the FBI stated. “These assets are expected to be laundered further and eventually converted into fiat currency.”

Notably, the same cluster was previously implicated by Japanese and U.S. authorities in the $308 million hack of DMM Bitcoin in May 2024.

The group is notorious for targeting Web3 companies, often tricking victims into installing malware-laced cryptocurrency apps to facilitate theft. Additionally, they have been known to run job-themed social engineering campaigns that lead to the deployment of malicious npm packages.

Meanwhile, Bybit has launched a bounty program to recover the stolen funds and has publicly criticized eXch for refusing to cooperate in the investigation or freeze the illicit assets.

“The stolen funds have been funneled into destinations that are difficult to track or freeze, including exchanges, mixers, and bridges, or converted into stablecoins that can still be frozen,” the company stated. “We need full cooperation from all parties to either freeze these funds or provide updates on their movement for continued tracing efforts.”

Bybit, based in Dubai, has also released findings from two independent investigations by Sygnia and Verichains, both of which link the attack to the Lazarus Group.

“The forensic analysis of the three compromised signers’ hosts suggests that the root cause of the breach was malicious code originating from Safe{Wallet}’s infrastructure,” Sygnia reported.

Verichains reported that on February 19, 2025, at 15:29:25 UTC, the benign JavaScript file of app.safe.global was replaced with malicious code specifically designed to target Bybit’s Ethereum Multisig Cold Wallet. The attack was triggered during Bybit’s next transaction on February 21, 2025, at 14:13:35 UTC.

Investigators suspect that Safe.Global’s AWS S3 or CloudFront account/API key may have been leaked or compromised, facilitating a supply chain attack.

In a separate statement, multisig wallet provider Safe{Wallet} revealed that the breach stemmed from the compromise of a Safe{Wallet} developer’s machine, which impacted an account linked to Bybit. The company has since implemented additional security measures to prevent similar attacks.

“The attack was executed through a compromised Safe{Wallet} developer’s machine, leading to the creation of a disguised malicious transaction proposal,” Safe{Wallet} explained. “Lazarus, a state-sponsored North Korean hacking group, is known for sophisticated social engineering campaigns targeting developer credentials, sometimes in combination with zero-day exploits.”

While the exact method used to breach the developer’s system remains unclear, Silent Push uncovered that Lazarus Group registered the domain bybit-assessment[.]com at 22:21:57 UTC on February 20, 2025, just hours before the heist.

WHOIS records indicate the domain was registered using trevorgreer9312@gmail[.]com, an email previously linked to Lazarus Group’s “Contagious Interview” campaign.

“The Bybit hack appears to have been orchestrated by TraderTraitor (also known as Jade Sleet and Slow Pisces), whereas the crypto job interview scam is led by a separate DPRK threat group known as Contagious Interview (also referred to as Famous Chollima),” Silent Push stated.

These North Korean hackers frequently lure victims via LinkedIn, tricking them into fake job interviews that serve as a gateway for malware deployment, credential theft, and financial/corporate asset compromise.

Since 2017, North Korea-linked threat actors have stolen over $6 billion in cryptocurrency. The $1.5 billion stolen last week now surpasses the $1.34 billion stolen across 47 crypto heists in 2024.