On February 21, 2025, the cryptocurrency world watched in real time as $1.5 billion in Ethereum vanished from Bybit — one of the world’s largest crypto exchanges — in a matter of minutes. By February 26, the FBI had officially attributed the theft to North Korea’s Lazarus Group. More than a year later, the stolen funds are still moving through a labyrinth of wallets, bridges, and Chinese-language laundering services. And the tactics have evolved.
This is the story of the largest crypto theft in history, how it happened, and what North Korea’s increasingly sophisticated cyber program means for the crypto industry in 2026.
The Numbers: A Theft Without Precedent
The scale of the Bybit hack defies easy comparison:
- $1.5 billion in Ethereum (approximately 400,000 ETH) stolen in a single operation
- Largest single exploit in crypto history by a wide margin
- 44% of all cryptocurrency theft recorded globally in 2025 came from this one attack
- North Korea’s total 2025 crypto theft: $2.02 billion — a 51% increase year-over-year
- Cumulative DPRK crypto theft since tracking began: $6.75 billion
To put the Bybit number in context: Bybit had approximately $20 billion in assets at the time. The hackers got to 7.5% of the exchange’s entire holdings in minutes.
How They Did It: A Masterclass in Patience and Deception
The Bybit hack was not a brute-force attack. It was a methodical, multi-stage operation that exploited the intersection of software supply chain vulnerabilities, social engineering, and the trust that exists between exchanges and their third-party service providers.
Step 1: Compromise a Third-Party Vendor
The attack didn’t start at Bybit. It started at a third-party wallet provider that Bybit used to manage Ethereum. Specifically, the hackers — operating under the FBI designation TraderTraitor (also known as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima) — compromised a single developer’s laptop at the wallet software company.
The entry point was a free storage software product that the wallet provider used, combined with phishing attacks targeting the developer’s credentials. Once inside, the hackers installed malware that gave them persistent access to the wallet provider’s development environment.
Step 2: Wait
This is where the operation separates itself from most crypto hacks. After compromising the third-party vendor, the attackers waited. They studied Bybit’s internal processes, understood how routine fund transfers were approved, and mapped the workflow that employees followed when moving large amounts of Ethereum between wallets.
Security researchers who analyzed the attack described this patience as a hallmark of Lazarus Group operations — the willingness to maintain access silently for weeks or months before striking.
Step 3: Strike During a Routine Transfer
When Bybit employees initiated what appeared to be routine internal Ethereum transfers, the attackers moved. The malware on the compromised developer’s laptop modified the transaction signing interface in real time — so that what Bybit employees saw on their screens was a normal internal transfer, but what they were actually signing was a transaction that sent the funds to attacker-controlled wallets.
By the time anyone realized what had happened, 400,000 ETH was gone.
The Money Laundering: Speed and Scale
The Lazarus Group’s laundering operation was as sophisticated as the theft itself.
Within 48 hours of the hack:
- At least $160 million had been funneled through illicit channels
- Funds moved through dozens of intermediary wallets across multiple platforms
By February 26, 2025 (5 days after the hack):
- Over $400 million had been moved through laundering infrastructure
- The FBI issued its official attribution
Laundering methods used:
- Decentralized exchanges (DEXs): Ethereum swapped through DEXs into other tokens, avoiding centralized exchange compliance checks
- Cross-chain bridges: Assets moved across blockchain networks, creating forensic complexity
- Bitcoin conversion: Ethereum ultimately converted to Bitcoin, which is harder to freeze
- Chinese-language money laundering services: TRM Labs identified use of specific services that cater to high-volume illicit crypto laundering
The speed was deliberate. North Korean hackers understand that centralized exchanges and law enforcement move quickly to freeze wallets once a theft is identified. The laundering playbook is designed to fragment funds faster than freezes can follow.
The Insider Threat Dimension: Fake Job Offers and Credential Harvesting
While the Bybit hack used a supply chain vector, North Korea has simultaneously been escalating a parallel approach: using fake employment and recruitment operations to harvest credentials from crypto industry insiders.
In 2025 and into 2026, North Korean operatives have been documented:
- Impersonating recruiters for prominent Web3 and AI firms on LinkedIn and other platforms
- Running fake technical interview processes designed to harvest credentials, install malware, or gain access to internal systems
- Launching fake cryptocurrency projects with plausible-looking documentation to attract developers and gain footholds in legitimate ecosystems
- Operating as remote employees at crypto companies using stolen or fabricated identities — gaining direct internal access to systems
The Tenexium incident in early 2026 — the first confirmed North Korea-linked hack of 2026 — is believed to have involved insider access obtained through a fake recruitment process. It led to hack volume doubling compared to January 2025.
This insider threat vector is particularly concerning because it bypasses the technical security controls that most crypto companies have invested heavily in. You cannot firewall a recruiter conversation.
The DPRK Funding Model: Why Crypto?
North Korea’s cryptocurrency theft program is not opportunistic — it is state strategic funding. The United Nations and multiple intelligence agencies have concluded that DPRK cyber operations serve as a primary mechanism for funding the country’s weapons of mass destruction programs, including its ballistic missile and nuclear development, in defiance of international sanctions.
The math makes clear why crypto is the preferred target:
| Year | DPRK Crypto Theft | Notable Incidents |
|---|---|---|
| 2022 | ~$1.65 billion | Ronin/Axie Infinity ($625M), Harmony Horizon ($100M) |
| 2023 | ~$700 million | Multiple smaller incidents |
| 2024 | ~$1.34 billion | WazirX ($230M), Radiant Capital ($50M) |
| 2025 | $2.02 billion | Bybit ($1.5B), Upbit ($30.6M) |
Crypto offers North Korea something traditional sanctions evasion cannot: speed, pseudonymity, and global reach. A SWIFT-based wire transfer can be frozen. A Bitcoin transaction, once confirmed on-chain, cannot.
2026: The Tactics Are Shifting
Based on intelligence assessments and blockchain analytics as of March 2026, North Korea’s cyber program is evolving in several key directions:
1. From Exchange Hacks to Infrastructure Infiltration The Bybit operation targeted an exchange. But Lazarus Group is increasingly attempting to compromise the infrastructure under exchanges — the wallet providers, key management systems, and bridge protocols that exchanges rely on. This is a harder problem to solve because it extends the attack surface to every vendor in a crypto company’s supply chain.
2. From One Big Hit to “Flood the Zone” Post-Bybit, analysts note a shift toward high-frequency, lower-value operations designed to overwhelm compliance teams. If a single $1.5 billion theft is too visible and triggers coordinated international response, dozens of $10–50 million thefts may collectively yield more value with less coordinated countermeasure.
3. AI-Enhanced Social Engineering North Korean operatives are now using AI tools to generate convincing fake LinkedIn profiles, portfolios, and technical credentials for their fake recruitment and insider operations. Detection of these fake identities is becoming significantly harder.
4. Targeting Bridge Protocols Cross-chain bridges — the infrastructure that moves assets between different blockchain networks — remain the single most concentrated attack surface in crypto. Lazarus Group has repeatedly returned to bridge exploits because the technical complexity involved creates persistent security gaps.
What Crypto Companies and Investors Should Do
For Exchanges and DeFi Protocols:
- Third-party vendor audits are not optional. The Bybit hack was enabled by a compromised vendor, not a direct exchange vulnerability. Every firm in your supply chain is a potential attack vector.
- Multi-party computation (MPC) wallets should be the standard for large cold storage operations, not single-key signing environments
- Out-of-band transaction verification — confirming large transfers through a separate, authenticated channel — would have caught the Bybit attack before it was completed
- Insider threat programs need to include vetting of remote employees and contractors in a way that accounts for state-sponsored identity fabrication
For Individual Crypto Investors:
- Beware of unsolicited recruitment outreach in crypto and Web3 — particularly “technical screens” that ask you to run code, connect wallets, or install software
- Self-custody reduces exchange counterparty risk, but introduces personal key security risk — understand the tradeoffs before moving large positions off exchanges
- Diversify custody — no single exchange or wallet should hold your entire position
- Hardware wallets remain the gold standard for long-term holdings
The Stolen Bybit Funds: Where Are They Now?
As of March 2026, blockchain analytics firms including TRM Labs and Chainalysis continue to track the Bybit funds. Approximately $400 million has been traced through laundering channels and partially converted. The remaining ~$1.1 billion remains under active tracking in various wallet clusters.
No funds have been officially recovered or frozen at scale. The U.S. Treasury’s OFAC has added numerous Lazarus Group-associated wallet addresses to its sanctions list, making it illegal for U.S. persons to transact with them — but enforcement against decentralized, pseudonymous blockchain activity remains limited.
The Bybit hack will likely stand as the defining crypto security event of the decade — not because the money is gone, but because of what it demonstrated about the maturity of state-sponsored crypto theft as a geopolitical tool.
Sources: FBI, TRM Labs, Chainalysis, CSIS, SecurityWeek, Fortune, The Block
