Back

Bybit Hack: $1.5 Billion Theft by North Korean Hackers

Severity: High (Score: 72.6)

Sources: Streetinsider, www.ainvest.com

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: bybit, hack, exchange, investors, genie, billion, strategic

Severity indicators: rat

Summary

In February 2025, a major hack on the Bybit cryptocurrency exchange resulted in the theft of $1.5 billion in Ethereum. The attack was attributed to the North Korean Lazarus Group's TraderTraitor subunit, exploiting a supply chain compromise through social engineering on a Safe{Wallet} developer. This breach accounted for 69% of the total $2.02 billion stolen by North Korean hackers in 2025. The incident highlighted vulnerabilities in the crypto exchange ecosystem, particularly the reliance on third-party security providers. The FBI confirmed the link to the Lazarus Group, emphasizing the geopolitical implications of such cyberattacks. The hack raised concerns about the long-term viability of investments in centralized exchanges, as investors face increasing operational risks. Following the breach, discussions around stricter regulations and enhanced security measures have intensified in the industry. Key Points: • The Bybit hack resulted in a $1.5 billion loss, making it one of the largest in crypto history. • North Korean hackers exploited a supply chain vulnerability, highlighting risks in third-party security. • The incident raises significant geopolitical concerns, linking state-sponsored cyber operations to financial crimes.

Detailed Analysis

**Impact** The hack resulted in the theft of $1.5 billion in Ethereum, primarily affecting Bybit users and the broader cryptocurrency exchange sector. This loss accounted for 69% of the total $2.02 billion stolen by North Korean groups in 2025. The incident exposed vulnerabilities in centralized exchanges and third-party wallet interfaces, impacting investors globally and raising concerns over the security of crypto custody solutions. The stolen funds were rapidly laundered through mixers and cross-chain bridges, complicating recovery efforts. **Technical Details** The attack exploited a supply chain compromise via a social engineering attack on a Safe{Wallet} developer, allowing hackers to hijack AWS session tokens and bypass Bybit’s multisignature security protocols. The Lazarus Group’s TraderTraitor subunit, a North Korean state-sponsored cyber unit, was identified as the threat actor. The kill chain included initial access through third-party developer credentials, followed by rapid fund exfiltration and laundering using mixers and cross-chain bridges. No specific CVEs or malware names were provided. **Recommended Response** Defenders should prioritize rigorous third-party risk assessments and enforce strict due diligence on all external providers. Implement mandatory multi-factor authentication and session token monitoring for developer and third-party access. Deploy real-time transaction monitoring and anomaly detection focused on rapid asset movement and cross-chain transfers. Regulatory and industry coordination should enforce transparent, auditable processes and contingency plans for asset recovery. Monitoring for suspicious AWS session activity and wallet interface anomalies is critical.

Source articles (2)

  • From Bybit's $1.5B Hack to Musk's IPO Chaos: Why Investors Are Turning to IPO Genie — Streetinsider · 2026-06-09
    What happens when a major centralized exchange loses $1.5 billion, and retail investors are behind those exchanges, asking what happened to their money? IPO Genie $IPO follows “Prevention Is Better…
  • Bybit Hack Strategic Risks Overlooking Crypto Exchange Security 2026 2512 — www.ainvest.com · 2026-06-09
    The February 2025 Bybit hack-where North Korean hackers stole $1.5 billion in Ethereum ETH -- (ETH) through a supply chain compromise-has become a watershed moment for the cryptocurrency industry. Thi…

Timeline

  • 2025-02-01 — Bybit hack occurs: North Korean hackers stole $1.5 billion in Ethereum through a supply chain compromise, exploiting a developer's credentials.
  • 2025-02-10 — FBI links hack to Lazarus Group: The FBI confirmed the involvement of the Lazarus Group, a North Korean cyber unit, in the Bybit hack.
  • 2025-06-01 — Total losses from North Korean hacks reported: North Korean hacking groups were reported to have stolen over $2.02 billion in 2025, with Bybit accounting for 69% of this total.
  • 2026-06-09 — Bybit hack discussed in relation to IPO Genie: Recent articles connect the Bybit hack to investor concerns over centralized exchanges and the IPO process, highlighting systemic risks.

Related entities

  • Lazarus Group (Apt Group)
  • TraderTraitor (Malware)
  • Supply Chain Attack (Attack Type)
  • Bybit (Company)
  • AWS (Company)
  • Fireblocks (Company)
  • Safe (Company)
  • China (Country)
  • btcpresswire.com (Domain)
  • Financial (Industry)
  • T1195 - Supply Chain Compromise (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed