# North Korean Hackers Steal $1.5 Billion in Cryptocurrency from Bybit in February 2025

In February 2025, North Korean hackers exploited social engineering techniques to steal $1.5 billion worth of cryptocurrency from Bybit. This incident underscores a growing trend in cyber threats.

# North Korea’s Escalating Cyber Operations

North Korea has systematized its hacking efforts, securing funds equivalent to 4–5% of its GDP through these operations. The tactics employed by North Korean hackers are becoming increasingly sophisticated and intricate.

Conversely, many Web3 projects often lack robust security measures. A phased approach to security, including basic measures (code reviews, training), intermediate measures (external audits, bug bounty programs), and advanced measures (anomaly detection, dedicated security teams), is essential.

# Rising Threats in the Blockchain Industry

The blockchain sector continues to experience frequent hacking incidents. Among these cyber-attacks, North Korea stands out as a major player in cryptocurrency hacking. North Korea operates specialized hacker organizations at the national level, demonstrating their capabilities with the largest hacking incident to date: the theft of $1.5 billion from the Bybit exchange in early 2025.

By conducting such cyber operations, North Korea secures illegal funds necessary for regime maintenance and weapons development while effectively circumventing international economic sanctions. As these attacks are expected to become more frequent and sophisticated, leaders of Web3 projects can no longer afford to overlook these serious security issues. This report aims to delve into North Korea’s hacking strategies and propose practical, effective security measures for companies facing increasing cyber threats.

# The 2025 Bybit Hacking Incident

On February 26, 2025, the Federal Bureau of Investigation (FBI) revealed that a North Korean hacking group had stolen approximately $1.5 billion worth of cryptocurrency assets from Bybit.

## The Bybit Hacking Incident in Three Stages

### Initial Infiltration – Hacking Developer Computers

According to Chainalysis, the attack commenced with social engineering. Hackers deceived a Safe{Wallet} (Safe) developer by sending fake emails or messages. Once the developer opened a malicious file or logged into a fake website, the hackers infiltrated the developer’s computer.

Safe and Mandiant disclosed that the targeted developer was among the few with high-level system access. Bybit used Safe, an external wallet service, to protect customer assets, akin to a bank outsourcing vault security to an external firm. The hackers targeted an employee holding a critical security card and, by hacking this employee’s computer, accessed the bank vault’s security system.

### Cloud Server Infiltration and Code Manipulation

Having control of the developer’s computer, hackers bypassed the multi-factor authentication system. This step was akin to acquiring not just the security card but additional security codes. The hackers then stole an Amazon Web Services (AWS) access token, allowing them to access the cloud server where Safe’s program code was stored—the central control room of the bank vault building.

Inside the control room, hackers implanted a sophisticated malicious program into Safe’s user interface code. This manipulation was akin to tampering with a security firm’s monitoring system to display fake footage from certain banks’ surveillance cameras, making the malicious code targeting Bybit’s wallet hard to detect.

### Transaction Manipulation and Fund Theft

According to Galaxy GK8’s Chief Technology Officer Shahar Shamai, on February 21, hackers changed the ‘operation’ transaction parameter from ‘0’ to ‘1’. This activated a special function called ‘delegateCall’. It was as if a bank employee thought they were signing a routine withdrawal request, but they were actually signing a document granting permanent access to all the customer’s accounts.

With acquired permissions, hackers accessed Bybit’s cold wallet (offline storage wallet), transferring a large amount of cryptocurrency, including 401,000 Ethereum (ETH), to their wallets. Shamai explained that it was nearly impossible to detect such minor changes on the transaction review screen. The bank staff, viewing normal-looking screens on their monitors, failed to notice cash disappearing from the vaults in reality.

Crucially, Safe’s smart contract (automated contract program) remained intact. The vault and security system of the bank were solid, but the security monitor screens, manipulated by hackers, failed to alert to the theft. This elaborate deception initially prevented Bybit’s security team from detecting anomalies.

## Bybit’s Response

As users panicked and began to withdraw their funds en masse, creating a situation akin to a bank run, Bybit’s CEO Ben Zhou swiftly responded. He publicly assured that the exchange had the full capability to cover all customer assets on a 1:1 basis.

Within 72 hours, the company raised funds from major entities such as Galaxy Digital, FalconX, and Wintermute to offset the stolen assets. Additionally, Bybit introduced a recovery bounty program, offering up to 10% of recovered assets to individuals contributing to the retrieval of the stolen cryptocurrency.

Bybit’s rapid fundraising and transparent communication played a crucial role in restoring market confidence and stabilizing the situation. Nevertheless, the hacking incident left an indelible impact on the cryptocurrency market, highlighting that even major platforms with robust security structures can be vulnerable to sophisticated cyber-attacks.

# Escalating Hacking Strategies from Infiltration to Money Laundering

The hacking techniques employed by North Korea’s cyber units in the blockchain sector do not differ significantly from traditional hacking methods. The attackers combine social engineering ruses with technical hacks to infiltrate target systems. Typically, they pose as recruiters or developers, tricking victims into downloading malicious programs or clicking infected links. Once the malware is installed, hackers gain control over the victim’s system and access sensitive information freely.

A key distinction between blockchain hacking and traditional hacking lies in the money laundering process. After stealing cryptocurrency, North Korean agents execute a swift and systematic laundering process to evade detection. They split the stolen funds into thousands of transactions and addresses, routing them through multiple intermediary wallets and exchanging them for various cryptocurrencies. By employing ‘chain-hopping’ techniques, utilizing decentralized exchanges (DEXs), cross-chain bridges, and mixing services in sequence, they effectively obscure the money trail.

In the past, the Lazarus Group primarily used mixer services like Tornado Cash and Sinbad to erase traces. However, increased regulation and scrutiny on these mixers have prompted strategic adjustments. Presently, they prioritize speed and scale, as evidenced by the Bybit hacking case, laundering $160 million in just 48 hours and over $400 million within a few days.

North Korean hackers now employ a ‘flood-the-zone’ tactic, moving funds rapidly and frequently across multiple platforms to overwhelm regulatory authorities and investigators’ tracking capabilities. This aggressive laundering approach not only complicates tracking but also disperses investigatory efforts and resources.

Ultimately, most stolen cryptocurrency is converted into Bitcoin and stored in wallets controlled by the hackers. Further laundering processes occur through over-the-counter brokers or lightly regulated exchanges. North Korea’s hacking strategy, combining sophisticated intrusion techniques with systematic laundering operations, continually outpaces the industry’s defense systems.

# The Importance of Security Against Cyber Threats in Web3 Projects

North Korea’s cryptocurrency theft operations have become pivotal to the regime’s economy. They stole approximately $660 million in 2023, which doubled to about $1.34 billion in 2024. The 2025 Bybit hacking alone accounted for over 5% of North Korea’s GDP, reinforcing the role cyber theft plays in the country’s economic survival strategy.

Given the significant financial gains from cryptocurrency theft, North Korea is likely to expand these attacks. Other hacker groups are also expected to persist in this lucrative domain.

## Web3 Projects’ Security Vulnerabilities

Despite the scale of these threats, many Web3 projects are fundamentally unprepared to counter sophisticated attackers. Unlike traditional companies that conduct systematic training on phishing prevention, device security, and sensitive data handling during employee onboarding, Web3 environments often rely on simple Notion documents or Telegram chats. Consequently, team members frequently lack the necessary security tools and awareness of security gaps.

Most cryptocurrency projects operate with small teams and aggressive launch schedules, often viewing security as an obstacle rather than a foundational element. Additionally, trust is paramount in the Web3 environment. Once trust is compromised, everything collapses. Transactions on the blockchain, once signed, are irreversible, with no fraud reporting channels or payment reversal mechanisms like those in traditional financial systems. As seen in the Bybit hacking case, a security incident can affect the entire market, not just an individual service.

## Essential Security Strategies for the Web3 Industry

Basic measures such as code reviews, account security, and fundamental training can be implemented immediately, regardless of team size or budget. These foundational steps significantly reduce risks and lay the groundwork for a solid security culture.

As projects grow, connecting more user wallets and increasing transaction volumes, intermediate security measures like external audits, bug bounty programs, and log collection become practical. These mid-level initiatives balance escalating risks with manageable costs.

When the asset scale of DeFi projects surpasses critical thresholds, advanced security measures are imperative. On-chain anomaly detection systems, dedicated security teams, and cyber insurance may initially seem excessive but become crucial in large-scale asset management stages to ensure robust crisis response capabilities.

Notably, while viewing blockchain security measures by complexity level, it’s essential to recognize that social engineering attacks, not just technical vulnerabilities, are significant threats in the Web3 environment. Recent blockchain hacking case analyses indicate a sharp rise in phishing, identity theft, and privilege abuse, compared to vulnerabilities within smart contracts.

Addressing these social engineering threats requires more than technical defenses. Ensuring the integrity of smart contract code, alongside team and user education on security awareness, phishing response training, and multi-factor authentication systems, has become increasingly vital. Implementing high-complexity security measures, such as on-chain anomaly detection and security teams, should focus on enhancing capabilities to counter social engineering attacks.

Decentralized projects without sufficient security investments might face greater risks than centralized systems. The decentralized nature broadens the attack surface, with limited ways to reverse successful attacks. Thus, continuous training and meticulous management of human factors, alongside technical security, are essential to build a trusted security structure for investors and partners. This comprehensive approach is vital to ensuring sustainable growth and safety for blockchain projects.

*[This article is a full translation of a report titled “North Korean $1.5 Billion Cryptocurrency Theft and its Lessons: Are You Next?” by Tiger Research, a global Web3 research institute and a partner of BlockMedia. The full report is available on Tiger Research’s official website.]*