The $1.5 billion cryptocurrency theft from Bybit last week marks an unprecedented milestone in digital asset security breaches, according to blockchain analysis firm Chainalysis.
“The Bybit hack of $1.5 billion worth of ETH is the largest digital heist in the history of cryptocurrency,” said Andrew Fierman, Head of National Security Intelligence at Chainalysis.
In a single operation attributed to North Korean hackers, attackers stole more cryptocurrency than the hermit kingdom allegedly purloined in all of 2024.
North Korean cyber actors have stolen approximately $1.5 billion in Ethereum from Bybit—a cryptocurrency exchange—and are dispersing the stolen assets across addresses on multiple blockchains. The FBI recommends blocking transactions with these
“This single attack accounts for more funds stolen by North Korea than was stolen in all of 2024,” Fierman told Arabian Business. Data from Chainalysis’ December 2024 report reveals a dramatic escalation in North Korean crypto theft, with hackers linked to the nation stealing approximately $1.34 billion across 47 separate incidents last year – up 102.88 per cent from the $660.50 million stolen in 20 incidents during 2023. These North Korean operations represented 61 per cent of all cryptocurrency stolen globally in 2024 while accounting for just 20 per cent of total theft incidents.
The February 21 theft, which saw 401,000 Ethereum stolen through what Bybit described as a “manipulation of the transfer process during a planned routine transfer” on one of its cold wallets, has put a spotlight on the increasingly sophisticated nature of state-sponsored crypto theft.
Cold wallet, hot target
Cold wallets – cryptocurrency storage not connected to the internet – were once considered nearly impregnable. The Bybit hack demonstrates how even these security measures have become vulnerable to advanced actors.
The FBI has linked the theft to two well-known hacker groups—TraderTraitor and the Lazarus Group, which have a history of targeting cryptocurrency platforms and financial institutions. Blockchain security firm Certik has called the incident the largest breach in blockchain history.
“This dispersion is a common tactic used by North Korean hackers in an attempt to obfuscate the trail and hinder tracking efforts by blockchain analysts,” Fierman explained.
“After moving the 401,000 ETH to addresses under their control, the hackers behind the Bybit theft moved the assets through a complex web of intermediary addresses, before swapping significant portions of the stolen ETH for tokens including BTC and DAI.”
The hackers’ playbook has become increasingly sophisticated, utilising decentralised exchanges, cross-chain bridges, and no-KYC instant swap services to move assets across networks.
Some funds deliberately remain idle – a strategic move to outlast the intense scrutiny that follows high-profile thefts.